[DNSOP] comments on draft-wessels-edns-key-tag-00
神明達哉 <jinmei@wide.ad.jp> Mon, 02 November 2015 04:23 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D10721B44BC for <dnsop@ietfa.amsl.com>; Sun, 1 Nov 2015 20:23:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xaMTefy-b08B for <dnsop@ietfa.amsl.com>; Sun, 1 Nov 2015 20:23:04 -0800 (PST)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38D111B44B6 for <dnsop@ietf.org>; Sun, 1 Nov 2015 20:23:04 -0800 (PST)
Received: by igpw7 with SMTP id w7so41629964igp.1 for <dnsop@ietf.org>; Sun, 01 Nov 2015 20:23:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=Ympt9FWziAHmJ8uvCN4o4RPZzMNg8lvPxxKKj7uZSFg=; b=bLOKZpNfY63Hi1nNq+mNeGgH9xsJwde4N3zv+aaZ5dLu/6c7Ieriu9nYPYWnDpm90H bHTTtXPj2sgJCd3CcaX3Y0m1sE8W7J/LqMQ3/WfWYLxp2O4wifxOlxshi0aXl+8wVzzJ 35LhgbqM5IHBRv1kQkPfVb2VCTZVVInp7FbE/XsP6QwhPuwvgZHaeAQbZENaPY2hchEW KrarDxktyWBp07Wn9RNHASCiKcX8PlH3Qf+C4UQl9uECdW/fuP6y1O02SmDxI+KYIARz Z9LQeF1xkio/cUcKHDQLmTaOTZ0WRbps2k+13CZvNL4d33CrP1VPClZ7erG9I66BJkUA vzqg==
MIME-Version: 1.0
X-Received: by 10.50.111.79 with SMTP id ig15mr8326401igb.41.1446438183650; Sun, 01 Nov 2015 20:23:03 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.140.71 with HTTP; Sun, 1 Nov 2015 20:23:03 -0800 (PST)
Date: Mon, 02 Nov 2015 13:23:03 +0900
X-Google-Sender-Auth: lmMtAIW2Jp0K8KIEgyrMDXhF1cg
Message-ID: <CAJE_bqe3EMEQt=Mg629irMHqiWRbmxR9AgDN_fuYTOASWYg0gg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/AE7T-zOoPjXgeG6P0t-nRIFG8Hg>
Subject: [DNSOP] comments on draft-wessels-edns-key-tag-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 04:23:06 -0000
I've read draft-wessels-edns-key-tag-00. I think it's generally well written. I have a few small comments. - Sections 5.2.1 When the recursive server receives a query with the option set, the recursive server SHOULD set the edns-key-tag list for any outgoing iterative queries for that resolution chain to a union of the stub client's Key Tag(s) and the validating recursive resolver's Key Tag(s). What if the recursive server receives the same query from multiple clients with different key tags and tries to unify the multiple original queries (some recursive server implementations do this unification)? Is it expected to include a union of all these key tags? What if the result of this makes the query too big (even if it's quite unlikely to happen in practice)? Same questions apply to Section 5.2.2. - Regarding security considerations, should we worry about an attack where the attacker pretends to a massive number of different clients sending an old key tag, intending to prevent or delay the migration to a new key? -- JINMEI, Tatuya