[DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-rfc2845bis-07: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 11 March 2020 02:48 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5DA3A0FB3; Tue, 10 Mar 2020 19:48:22 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-rfc2845bis@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, Benno Overeinder <benno@NLnetLabs.nl>, benno@NLnetLabs.nl
X-Test-IDTracker: no
X-IETF-IDTracker: 6.120.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <158389490234.15500.4490499653807363764@ietfa.amsl.com>
Date: Tue, 10 Mar 2020 19:48:22 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/11tZv3mcVxT1c68MJ059on0-Pw8>
Subject: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-rfc2845bis-07: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 02:48:23 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-dnsop-rfc2845bis-07: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc2845bis/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Section 1.3. Per “In 2017, two nameservers strictly following that document (and the related [RFC4635]) were discovered to have security problems related to this feature”, consider providing a reference to the published vulnerabilities (i.e., CVE-2017-3142 and CVE-2017-3143) ** Section 6. Per “SHA-1 collisions have been demonstrated so the MD5 security considerations apply to SHA-1 in a similar manner. Although support for hmac-sha1 in TSIG is still mandatory for compatibility reasons, existing uses should be replaced with hmac-sha256 or other SHA-2 digest algorithms [FIPS180-4], [RFC3874], [RFC6234]. -- It’s worth repeating those MD5 security considerations here -- (from Magnus Nystrom’s SECDIR review, thanks Magnus!) it’s worth including references to the recent SHA-1 cryptoanalysis provided in the SECDIR review -- The SHA-2 family should be a normative SHOULD (or RECOMMENDED). ** Section 10. Per “For all of the message authentication code algorithms listed in this document, those producing longer values are believed to be stronger”, as noted in Magnus’s SECDIR review, this could be misconstrued as the algorithm choice not the digest length provides the security. Recommend rephrasing (or making some statement ** Editorial -- Section 4.3.2. Per “When verifying an incoming message, this is the message after the TSIG RR and been removed and the ARCOUNT field has been decremented.”, this sentence doesn’t parse (is missing a word). -- Section 4.3.2. Per “A whole and complete DNS message in wire format.”, this isn’t a sentence.
- [DNSOP] Roman Danyliw's No Objection on draft-iet… Roman Danyliw via Datatracker