On 15.7.2018 20:37, Shane Kerr wrote: > Bonjour, > > I decided to implement draft-wessels-dns-zone-digest-02 at the IETF 102 > Hackathon. As expected, it is fairly straightforward. You can see the > code on GitHub: > > https://github.com/shane-kerr/ZoneDigestHackathon > > It seems to work, although since I have no other implementation to > compare against I can't be sure that the digest values are in any way > correct. > > In proper hackathon style there are no tests. Bugs surely abound. If you > use it in production please keep a fire extinguisher handy. > > I found the draft to be clear and fairly complete, although I have a few > suggestions: > > * It might be worth mentioning that names are expected to be > uncompressed. It's kind of obvious, but it might trick up some > implementations. > > * The TTL of the ZONEMD record has to come from somewhere. It can either > come from configuration or pulled from somewhere else (I used the TTL > of the SOA record). This should be documented. > > * It might be worthwhile giving some recommendations or even > requirements about what to do with failures. For example, something > like "secondary servers who receive a zone that fails a digest > validation SHOULD NOT serve the zone". > > * Having some example zones and the expected digest values would be very > useful for implementers.
First of all thanks for your work! It is useful to test drafts this way, it obviously uncovered some definiencies. In any case, I believe that real problem is not the spec or toy-implementation, the real complexity is still hidden and will unveil itself once we attempt an efficient implementation inside a high-performace DNS server. > As a final note, while it is awesome to have dnspython available to do > such projects, dnspython is not a joy to work with. I had a brief > discussion with some other hackathon attendees and it seems to be a OT: Please create issues in dnspython Github pages, we might look into it ... > shared experience. I was encouraged to look at the getdns Python API, > which has apparently had quite some thought in making it Pythonic. I may > look at that or making a pure Python version of it at some point in the > future. If you have other suggestions for DNS in Python feel free to > contact me off-list (since this isn't a software development list). -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
