subject:"\[DNSOP\] \[Ext\] Reserved field in draft\-wessels\-dns\-zone\-digest\-04.txt"

Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt

2018-11-03 Thread Wessels, Duane

> On Nov 3, 2018, at 1:33 PM, Wes Hardaker  wrote:
> 
> Paul Hoffman  writes:
> 
>> From the earlier list discussion and your presentation at DNS-OARC,
>> processing dynamic zones is hard, and you might make different choices
>> based on different amounts of dynamicness (dynamicity?). This should
>> cause developers concern about implementing ZONEMD now because there
>> will be an expectation that they will have to implement the changes in
>> the future.
> 
> I also look at it in terms of implementation complexity and where in the
> code base decisions are made.  EG, if you have different RRTYPEs for
> signaling things, then the logic is straight forward:
> 
>if (rrtype == ZONEMD) {
>   do_ZONEMD_stuff();
>} else if (rrtype == ZONEMDMERKLE) {
>   do_fancy_new_hashtree_stuff();
>} ...
> 
> On the other hand, with a reserved field we end up here:
> 
>if (rrtype == ZONEMD) {
>   do_ZONEMD_stuff();
>} ...
> 
> 
>do_ZONEMD_stuff() {
>if (reserved_field != 0) {
>do_fancy_new_hashtree_stuff();
>} else {
>do_ZONEMD_stuff();
>}
>}
> 
> Now, if do_ZONEMD_stuff() and do_fancy_new_hashtree_stuff() are likely
> to be sufficiently different in implementation (and I suspect they will
> be), then the first code above with two RRTYPEs is likely to be
> cleaner.  The only advantage gained in the second type is if you can put
> the brunt of the code for both do_fancy_new_hashtree_stuff() and
> do_ZONEMD_stuff() pretty much inline because there is sufficient
> overlap.
> 
> It's hard to predict what the best route is advance without knowing now
> how much the resulting double implementation will overlap.

So there is an implementation of ZONEMD, and even an implementation of "fancy 
hashtree stuff".  You can find it at 
https://github.com/verisign/ldns-zone-digest

One of the reasons I think the variable-depth hash tree is attractive is 
because when depth = 0 then it simplifies exactly to the case as though there 
is no fancy hashtree.  

In my proof-of-concept implementation, most of the added complexity from fancy 
hashtree stuff comes in the form of how the zone data is stored.  For example:

#if !ZONEMD_INCREMENTAL
ldns_rr_list *the_rrlist = 0;
#endif

#if ZONEMD_INCREMENTAL
typedef struct _zonemd_tree {
unsigned int depth;
unsigned int branch;// only for debugging?
ldns_rr_list *rrlist;
struct _zonemd_tree *parent;
struct _zonemd_tree **kids;
unsigned char digest[EVP_MAX_MD_SIZE];
bool dirty;
} zonemd_tree;
#endif

But the actual digest calculation is not that much more complex for fancy 
hashtree sutff, IMO.  The only difference is what you feed as input to the hash 
function.  At the non-leaf nodes the input is hash values of the child nodes.  
At the leaf nodes the input is the RRs wire format data.

DW

smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt

2018-11-03 Thread Wes Hardaker

Paul Hoffman  writes:

> From the earlier list discussion and your presentation at DNS-OARC,
> processing dynamic zones is hard, and you might make different choices
> based on different amounts of dynamicness (dynamicity?). This should
> cause developers concern about implementing ZONEMD now because there
> will be an expectation that they will have to implement the changes in
> the future.

I also look at it in terms of implementation complexity and where in the
code base decisions are made.  EG, if you have different RRTYPEs for
signaling things, then the logic is straight forward:

if (rrtype == ZONEMD) {
   do_ZONEMD_stuff();
} else if (rrtype == ZONEMDMERKLE) {
   do_fancy_new_hashtree_stuff();
} ...

On the other hand, with a reserved field we end up here:

if (rrtype == ZONEMD) {
   do_ZONEMD_stuff();
} ...

do_ZONEMD_stuff() {
if (reserved_field != 0) {
do_fancy_new_hashtree_stuff();
} else {
do_ZONEMD_stuff();
}
}

Now, if do_ZONEMD_stuff() and do_fancy_new_hashtree_stuff() are likely
to be sufficiently different in implementation (and I suspect they will
be), then the first code above with two RRTYPEs is likely to be
cleaner.  The only advantage gained in the second type is if you can put
the brunt of the code for both do_fancy_new_hashtree_stuff() and
do_ZONEMD_stuff() pretty much inline because there is sufficient
overlap.

It's hard to predict what the best route is advance without knowing now
how much the resulting double implementation will overlap.

Personally (authorship hat off and thus collector of consensus hat off),
I think we should use a second RRTYPE for the future as it's easier to
make implementations more module and remove earlier implementations when
that specification is no longer used because hashtrees are so cool that
nothing else is ever needed.

-- 
Wes Hardaker
USC/ISI

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt

2018-10-24 Thread Paul Hoffman

On Oct 24, 2018, at 2:57 AM, Wessels, Duane 
 wrote:
> 
> 
> 
>> On Oct 24, 2018, at 12:16 AM, Paul Hoffman  wrote:
>> 
>> Section 5 says:
>> 
>>  FOR DISCUSSION: The authors are willing to remove the Reserved field
>>  from this specification if the working group would prefer it.  It
>>  would mean, however, that a future version of this protocol designed
>>  to efficiently support large, dynamic zones would most likely require
>>  a new RR type.
>> 
>> Please strongly consider removing the Reserved field so that designing an 
>> way to do a message digest over a dynamic zone can be done independently.
>> 
>> Quite frankly, if the Reserved field isn't there and it's clear that this is 
>> for complete zones, I see no reason why this should even be considered 
>> experimental. The mic line at the presentation at the recent DNS-OARC seems 
>> to agree with wanting this for real, as soon as possible.
> 
> 
> Thanks for the feedback, Paul.
> 
> Personally I feel like keeping the Reserved field is potentially useful in 
> the future, but harmless if it never gets used. Can you say more about why 
> keeping it prevents independent work?

From the earlier list discussion and your presentation at DNS-OARC, processing 
dynamic zones is hard, and you might make different choices based on different 
amounts of dynamicness (dynamicity?). This should cause developers concern 
about implementing ZONEMD now because there will be an expectation that they 
will have to implement the changes in the future.

On the other hand, if you indicate "ZONEMD is for the static zones, and there 
will be a different RRtype for dynamic zones", vendors can choose later whether 
to implement the new RRtype. As others have said, new RRtypes are cheap.

> I would be very happy with standards track, but to the extent the WG is 
> skeptical I would settle for experimental at this time.

I am not skeptical of the current protocol: I am skeptical of unknown changes 
to it in the future.

--Paul Hoffman

smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt

Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt

Re: [DNSOP] [Ext] Reserved field in draft-wessels-dns-zone-digest-04.txt

3 matches

Site Navigation

Mail list logo

Footer information