Re: [dnsdir] [DNSOP] Dnsdir early review of draft-ietf-dnsop-dnssec-bootstrapping-04
Peter Thomassen <peter@desec.io> Tue, 04 July 2023 14:03 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsdir@ietfa.amsl.com
Delivered-To: dnsdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA280C14CF09; Tue, 4 Jul 2023 07:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4Wnhu17i9PV; Tue, 4 Jul 2023 07:03:48 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9536AC14CEFF; Tue, 4 Jul 2023 07:03:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:Cc:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Xs1lYB9McZjxaB6sLLQYjp7CHh3LbYLiJdstE7R8Qb0=; b=udLvS1sWvDt0hogqFaF1RD2Znd 1LBdG0j6iocJfYzYUy7bj/C/U1wpV+la2kTjS7CGRu6x+PLV0SR7zhIZDMdQIpXbKsTV6n/RoiBxn cufwbg4A/oq7WtJu565qUVWnDJvcf3CeSlh7rR21L5eFY7u1+mT4MSuilNr4d0h8V7kFx7iQv4lcB /+Z3DOiqkFkKN3nMkVysbHm58YvFTJd/gvkIrfHOXYvGlZ7LCPdIeV8CY7/Q+qJPfkx5WAiZxJwXn O09VxuboscUbW0kI2Lq4l7HDjH9HZmLFljvBuiPYgP3661ukohDxCTvYj93dH5c+xKZAJgVqnVMOO u2ejveyQ==;
Received: from [2a00:20:608f:5dbc:2074:d461:5560:c0c5] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1qGgd3-00Dotv-Qk; Tue, 04 Jul 2023 16:03:41 +0200
Message-ID: <d630c37d-d6fa-3338-d170-3600a2867773@desec.io>
Date: Tue, 04 Jul 2023 16:03:41 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Scott Rose <scott.rose@nist.gov>, dnsdir@ietf.org
Cc: dnsop@ietf.org, draft-ietf-dnsop-dnssec-bootstrapping.all@ietf.org
References: <168788723826.63074.4889574045912805646@ietfa.amsl.com>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <168788723826.63074.4889574045912805646@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsdir/IOERGls9LFywwH8tzUmaGsRdI4g>
Subject: Re: [dnsdir] [DNSOP] Dnsdir early review of draft-ietf-dnsop-dnssec-bootstrapping-04
X-BeenThere: dnsdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Directorate <dnsdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsdir/>
List-Post: <mailto:dnsdir@ietf.org>
List-Help: <mailto:dnsdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2023 14:03:52 -0000
Hi Scott, Thank you very much for your feedback -- responses inline. You can find the changes here (will submit to datatracker before the upcoming cut-off): https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/commit/dcb914737342184c503fbb23fc37c7d3b6e363d1#diff-356ec8c295379536ae015166d01de308455cded000afc5476019b3effbb2ae43 On 6/27/23 19:33, Scott Rose via Datatracker wrote: > Reviewer: Scott Rose > Review result: Ready with Issues > > Review of dnssec-bootstrapping > > The draft is likely OK to proceed as there are only a few nits that do not > change the overall contents. I am confused about if it adds to methods in RFC > 8078 or replaces methods in RFC 8078. > > 1. Abstract: > The Abstract says that this draft deprecates the DS enrollment methods in RFC > 8078, which implies this draft will replace that text. However the Security > Considerations section implies that this draft only adds a new method and > removes none of the existing ones (possible just phrasing issue?). If this > draft intends to only add a new secure method, the abstract could be changed to > say “This document adds the new DS enrollment method to the list of methods > described in Section 3 of [RFC8078].” If this is to replace the CDS/CDNSKEY > based methods in RFC 8078, then perhaps the first sentence in the Security > Considerations section should be updated to say > > “This draft document replaces the methods described in RFC 8078 Section 3 with > a method that adds authentication. Its security level is therefore…” To make > it explicit that this draft replaces that section rather than just add another > method while retaining the methods previously described in RFC 8078. The abstract is correct. The confusing sentence in the Security Considerations was supposed to be about the security model (not about the set of methods), where all existing security properties (e.g. CDS validation) remain in place (= removes nothing), but authentication is "added". I agree this was phrased in a confusing way, and I made changes along the lines you proposed. > That is the only potentially confusing issue. The rest are nits: > > 2. Section 1.1 Terminology: “Parent” and “Child” are defined the same way in > the most recent version of the DNS Terminology RFC 8499, so a reference could > be used instead of repeating the definition. Done. (I thought it would be nice to "inline" the actual definition, but that was just a feeling.) > Also, “Signaling Name” sounds > confusing compared to the Signaling Domain. Would it be easier to write it as: > > “Signaling Name The owner name of comprised of a prefix, the Child zone name > and the Signaling domain name. Used by the Parental Agent to identify and > retrieve the Signaling Type used by the Child zone (See Section 2.2). “ > > To stress it is a name in the Signaling Domain, but contains the child zone > name. Coming up with this terminology was really challenging. The reason that the Signaling Name is only the prefix, without the Signaling Domain, is that it makes the rest of the spec easier. For example, from Section 3.1: To [...] authenticate the Child's CDS/CDNSKEY RRsets, the Child DNS Operator MUST co-publish them at the corresponding Signaling Name under each out-of-bailiwick Signaling Domain [...] With your definition, one would have to say To [...] authenticate the Child's CDS/CDNSKEY RRsets, the Child DNS Operator MUST co-publish them at each corresponding out-of-bailiwick Signaling Name [...] Do you feel that's an improvement? I appreciate that "Signaling Name" is not ideal. Perhaps instead of making this term the FQDN including the full domain, we should rename "Signaling Name" to something else. Unfortunately, "Signaling Prefix" runs the risk of being mistaken for the "Signaling Type" (which is really a prefix, it's the first label). Taking all this into account, do you have any more suggestions? > 3. Section 2.1 > Strictly speaking, would the Signaling Zone really need a secure delegation? I > could even be an island but the Parental Agent has the Signaling Zone’s SEP key > (KSK or ZSK) as an installed trust anchor. If the Parental Agent really only > needs to be able to validate RRSIGs in the Signaling Zone, the zone doesn’t > necessarily need to have a secure delegation, as it is up to the Parental Agent > to validate signatures. Not saying that is easier (it has other problems), just > possible so the MUST may be unnecessarily strict. Done > 4. Section 4.2 Parental Agent: > Last sentence in paragraph ends “…the cache does not need to get cleared in > between.)”. Might be expanded to “…cache does not need be be cleared in > between queries to unique Child Zone names.)” for clarity. Done (along those lines). Thanks, Peter -- https://desec.io/
- [dnsdir] Dnsdir early review of draft-ietf-dnsop-… Scott Rose via Datatracker
- Re: [dnsdir] [DNSOP] Dnsdir early review of draft… Peter Thomassen