Re: [DNSOP] IETF 102 Hackathon: prototype implementation of draft-wessels-dns-zone-digest-02

Thu, 19 Jul 2018 07:27:02 -0700 

All,

On 2018-07-18 14:36, Wessels, Duane wrote:



It seems to work, although since I have no other implementation to compare 
against I can't be sure that the digest values are in any way correct.


My own implementation, alluded to in the draft, is here:

https://github.com/verisign/draft-dns-zone-digest/tree/master/impl

I have a few test cases in the Tests directory.



Duane sent me a mail off-list and after minor tweaks on both sides it 
seems like the two implementations now interoperate.



* It might be worth mentioning that names are expected to be
  uncompressed. It's kind of obvious, but it might trick up some
  implementations.


The draft says "It also adopts DNSSEC's canonical RR form (Section 6.2 of [RFC4034])" in 
one place and "calculated by concatenating the canonical on-the-wire form of all RRs" 
later.  I wouldn't object to being more explicit.  Do you want to propose some text or shall I take 
a stab?


I think just adding like this is enough:


"calculated by concatenating the canonical on-the-wire form, without 
name compression, of all RRs"



* The TTL of the ZONEMD record has to come from somewhere. It can either
  come from configuration or pulled from somewhere else (I used the TTL
  of the SOA record). This should be documented.


I also used the SOA TTL in my implementation.  I can make that a recommendation 
in the draft.



Someone pointed out to me that since ZONEMD is meta-data we don't really 
expect it to be queried normally, and a TTL of 0 is a reasonable default.



My own feeling is that I would like ZONEMD to be a "normal" record 
outside of zone generation, so assume that it can and will be queried 
just like any other record. (This is also an open question in the 
current draft, IIRC.)



In the current draft we already have to look at the SOA to get the 
serial, so using the TTL is straightforward. If we remove serial from 
the ZONEMD then TTL from the SOA might be less obvious, but I think it 
will still be the best default.


Cheers,

--
Shane

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to