IETF Logo Mail Archive

[DNSOP] AD review of draft-ietf-dnsop-dns-zone-digest-08

Barry Leiba <barryleiba@computer.org> Fri, 24 July 2020 21:20 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E4B3A0C71; Fri, 24 Jul 2020 14:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGChOqap9A8K; Fri, 24 Jul 2020 14:20:03 -0700 (PDT)
Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C2543A0C70; Fri, 24 Jul 2020 14:20:00 -0700 (PDT)
Received: by mail-il1-f178.google.com with SMTP id s21so8356368ilk.5; Fri, 24 Jul 2020 14:20:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=oH1OQxdtTaHe5W/wYZWB2oNDUo8h6hLNAs+T/cVzzdU=; b=mkEqimV7WHSKtlAyB+vt2O+ET21/f4UWqRCReFFehtuu1JWhFsZXvbZkXGXdXcjAjP PiMiTw/aPETdTZvvJq+yRqWq5SbmZTBD5gckko+5jcsIeOexgheEG7gESMjNvMoL2tTG GqeQtWY7tcNtOZr83pM0tW+iX05zvzyXVLA3uYeQ28KZC1ZDvVBAL2ZsoUxPlmwTbZfO IKW/ijOk0kT50LtWXyaoWnKrW+QIzXGF+jiw2GMRCZ8OPItFXyLyEc80jiZ96axEakd4 FhkZ+OovSFlgrs5HQFCPHNmgwHIURcdHHlW+7OPG4AKp6cbZSA4PfYT7VLKqe2hr28ri 6+gQ==
X-Gm-Message-State: AOAM530pIWhyDXApOzvjdwVy444wCfCyD+oNELKYD34XC8lIYQTEdQcJ qOyUn+MwzGYB8wSOjid6UVH18mvpjZnxtggqO5LNMw==
X-Google-Smtp-Source: ABdhPJwtOyIO37VBhFaXKionzKRzfeS7Cf/IqrfXyeyNA3F5QXP9RR1yxtoAIt+CReo6vDm2nGmueBjm0ovEjVthdcM=
X-Received: by 2002:a92:4983:: with SMTP id k3mr11649698ilg.275.1595625594517; Fri, 24 Jul 2020 14:19:54 -0700 (PDT)
MIME-Version: 1.0
From: Barry Leiba <barryleiba@computer.org>
Date: Fri, 24 Jul 2020 17:19:43 -0400
Message-ID: <CALaySJLrL3SVRKfa7EypV-h7ffgE619xfD9NVGY_w0Q9O-PF3Q@mail.gmail.com>
To: "draft-ietf-dnsop-dns-zone-digest.all@ietf.org" <draft-ietf-dnsop-dns-zone-digest.all@ietf.org>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c18faa05ab3688aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Cu2cQLqpZvjI10vzzq3Ce84AxWM>
Subject: [DNSOP] AD review of draft-ietf-dnsop-dns-zone-digest-08
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 21:20:07 -0000

I am serving as responsible AD for this document, because Warren is an
author, and so is recused.  Here’s my AD review.  Most comments are minor,
but I’d like to resolve the ones in Sections 2 and 3.1 before going to last
call, so I’ll set the substate to “AD Followup”.

— Section 1 —

   Zone files can
   also be distributed outside of the DNS, with such protocols as FTP,
   HTTP, rsync, and even via email.

Ultra-nit: this is a tricky one, but it’s actually not parallel.  It just
needs “and” before “rsync” to correct it.

— Section 1.1 —

   internic.net site publishes PGP signatures along side the root zone

Nit: I would say that “alongside” is one word.

— Section 1.2 —

   name server may need to send queries to validate a chain-of-trust.

Nit: “chain of trust” is a noun here, and shouldn’t be hyphenated.

— Section 1.3.1 —

   Reasons for doing so include privacy and reduced access
   time.  [RFC7706] describes one, but not the only, way to do this.

Should change this to 8806 now, no?

— Section 2 —

   It is recommended that a zone include only
   one ZONEMD RR, unless the zone publisher is in the process of
   transitioning to a new Scheme or Hash Algorithm.

This says “recommended”, and not even “RECOMMENDED”, but later we have, “If
the ZONEMD RRSet contains more than one RR with the same Scheme and Hash
Algorithm, digest verification MUST NOT be considered successful.”  So how
is this not a MUST, given that it will not interoperate if it’s violated?

— Section 3.1 —

   Implementations MAY want to set the
   Digest field to all zeroes anyway.

Why?  I certainly wouldn’t “want” to if there’s no benefit to doing so.  As
you mention it, I’m guessing there’s a reason.  Best to say?

— Section 3.4 —

   o  Only one instance of duplicate RRs with equal owner, class, type
      and RDATA SHALL be included ([RFC4034] Section 6.3).

It’s not wrong, but it’s slightly jarring that all the items around this
say “MUST” and this one says “SHALL”.  Any reason, or should we switch this
to “MUST” to match the others?

— Section 6.2 —

   Certainly other RR types result in
   larger amplification effects (i.e., DNSKEY).

Is DNSKEY the only one (“i.e.”)?  Or might there be others, as the text
implies?  Should this be “e.g.”?  And is “result” the right word here?

— Section 9 —

   The authors wish to thank David Blacka

Is that to distinguish him from David Blackb?

—
Barry

v2.23.0 | Report a Bug | By Email