[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis

John R Levine <johnl@taugh.com> Sun, 30 June 2024 22:31 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45978C14F6B5 for <dnsop@ietfa.amsl.com>; Sun, 30 Jun 2024 15:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="D0qVrlWZ"; dkim=pass (2048-bit key) header.d=taugh.com header.b="kRUwF1s2"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrSg0mXoOcyR for <dnsop@ietfa.amsl.com>; Sun, 30 Jun 2024 15:31:16 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD9DC14F5E4 for <dnsop@ietf.org>; Sun, 30 Jun 2024 15:31:15 -0700 (PDT)
Received: (qmail 40715 invoked from network); 30 Jun 2024 22:31:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=9f076681dcb1.k2406; bh=wvuqQiWqKqWeTcgyKL5Qxt9Cutd5C7EtZQ43jhjWleU=; b=D0qVrlWZAqPm7rXKaJYRK1OEjGLxct9iNmwzgqG6YC26IIzSopyk0muck2FEHUX20LVW/xVt9jzPqOMxU3mglokrbtBSy4NJj6I2mcoPnSAwKOAtStaeKqjWzwf2ePBSttVexkULfL02CSKiVOtm3aZIo674o0sKx6/TBU46BDz0oXvciX+Xp5XhkBwt+XCRHhG/zRSs16MOtEglJxx3beHpRhlheiorCUXEsZ6A2ElMlE88H7HOXp0V1yd3pW8CZ8+0DRlr3XHp4fOxdEPUgaNAtCapR5QDjkZEqRhEnoRLv/pxuKxJ/6ZYC86TaKwsFUYfJI0Ee2HFjXTWlfdUCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=9f076681dcb1.k2406; bh=wvuqQiWqKqWeTcgyKL5Qxt9Cutd5C7EtZQ43jhjWleU=; b=kRUwF1s2LXt9paI8MqahP17EfsqtUMJI5VdTk5YTLELJxTFf5tvGbeolz+MJUgRx/mKxfC7qvcGODwKKtp87ql0enulvHzCUXzJ7H0EnBj25XiOnEClMNbh2pPNDsj4vkL24+pXEzfDBXX6j8ZBA5CTLp6KA9BVS588O2s/f1J4g0ud5bQhyrJ8bfOhEBaK+uxFuvdIIp2c8Tjc88e7+0do6r7+R2CM2A5/tnOLiCmel6pBUdV7h6yKOjL5e3KlTE4GqSFf6ZQEVp+0wCZR4Kmp+E6qOlXwARIsHCx87tD+bbLOpeLr1npDR8AGDiNm3brjRRtwcaldTOK6SazeTEQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 30 Jun 2024 22:31:13 -0000
Received: by ary.qy (Postfix, from userid 501) id 15BA58E81EA4; Sun, 30 Jun 2024 18:31:12 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 7B3168E81E86 for <dnsop@ietf.org>; Sun, 30 Jun 2024 18:31:12 -0400 (EDT)
Date: Sun, 30 Jun 2024 18:31:12 -0400
Message-ID: <0bc64fd0-0031-4ca2-b722-ad0d585ea686@taugh.com>
From: John R Levine <johnl@taugh.com>
To: dnsop <dnsop@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <E58B1C4D-1DB0-4123-9C91-02E7FDC6D6EB@icann.org>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com> <879F4E56-9939-4C57-A597-9BB113F92C0D@iana.org> <E58B1C4D-1DB0-4123-9C91-02E7FDC6D6EB@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: LKD7I2KCZ5YOBGWFHTM7DWHNBVJ4W7JJ
X-Message-ID-Hash: LKD7I2KCZ5YOBGWFHTM7DWHNBVJ4W7JJ
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D-AoUg_2nCU4EfkPYjM0svZIqfw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I took a look and didn't find anything particularly troubling.  I agree 
that adding the new optional DNSKEY element doesn't need a version number. 
Getting rid of private certificates in favor of a CA signed cert for the 
HTTPS server makes sense.

On the other hand, I don't understand what the point of the new optional 
DNSKEY field in the XML is.  I see that IANA does not currently include 
it.

It's always been possible to retrieve the DNSKEY records from the live 
root and check that one of them matches the digest in the XML.  Is this to 
provide a way to remember the old DNSKEYs that have been rotated out of 
the root?  A sentence or two describing the motivation would help.

The third paragraph of section 3.2 describes a detached CMS signature. 
While I realize it's there in 7958, I don't see how it provides any 
security at all.  It's signed with an ICANN private key but there's no way 
I can see to tell the "real" ICANN CA from one that I just made up to sign 
my fake XML.  The useful security is the accredited CA signed HTTPS 
certificate described in the following paragraph, so I'd take the CMS 
signature out or at least note that it's trivial to defeat unless you have 
external knowledge about ICANN's private CA.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly