[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
John R Levine <johnl@taugh.com> Sun, 30 June 2024 22:31 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45978C14F6B5 for <dnsop@ietfa.amsl.com>; Sun, 30 Jun 2024 15:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="D0qVrlWZ"; dkim=pass (2048-bit key) header.d=taugh.com header.b="kRUwF1s2"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrSg0mXoOcyR for <dnsop@ietfa.amsl.com>; Sun, 30 Jun 2024 15:31:16 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD9DC14F5E4 for <dnsop@ietf.org>; Sun, 30 Jun 2024 15:31:15 -0700 (PDT)
Received: (qmail 40715 invoked from network); 30 Jun 2024 22:31:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=9f076681dcb1.k2406; bh=wvuqQiWqKqWeTcgyKL5Qxt9Cutd5C7EtZQ43jhjWleU=; b=D0qVrlWZAqPm7rXKaJYRK1OEjGLxct9iNmwzgqG6YC26IIzSopyk0muck2FEHUX20LVW/xVt9jzPqOMxU3mglokrbtBSy4NJj6I2mcoPnSAwKOAtStaeKqjWzwf2ePBSttVexkULfL02CSKiVOtm3aZIo674o0sKx6/TBU46BDz0oXvciX+Xp5XhkBwt+XCRHhG/zRSs16MOtEglJxx3beHpRhlheiorCUXEsZ6A2ElMlE88H7HOXp0V1yd3pW8CZ8+0DRlr3XHp4fOxdEPUgaNAtCapR5QDjkZEqRhEnoRLv/pxuKxJ/6ZYC86TaKwsFUYfJI0Ee2HFjXTWlfdUCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=9f076681dcb1.k2406; bh=wvuqQiWqKqWeTcgyKL5Qxt9Cutd5C7EtZQ43jhjWleU=; b=kRUwF1s2LXt9paI8MqahP17EfsqtUMJI5VdTk5YTLELJxTFf5tvGbeolz+MJUgRx/mKxfC7qvcGODwKKtp87ql0enulvHzCUXzJ7H0EnBj25XiOnEClMNbh2pPNDsj4vkL24+pXEzfDBXX6j8ZBA5CTLp6KA9BVS588O2s/f1J4g0ud5bQhyrJ8bfOhEBaK+uxFuvdIIp2c8Tjc88e7+0do6r7+R2CM2A5/tnOLiCmel6pBUdV7h6yKOjL5e3KlTE4GqSFf6ZQEVp+0wCZR4Kmp+E6qOlXwARIsHCx87tD+bbLOpeLr1npDR8AGDiNm3brjRRtwcaldTOK6SazeTEQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 30 Jun 2024 22:31:13 -0000
Received: by ary.qy (Postfix, from userid 501) id 15BA58E81EA4; Sun, 30 Jun 2024 18:31:12 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 7B3168E81E86 for <dnsop@ietf.org>; Sun, 30 Jun 2024 18:31:12 -0400 (EDT)
Date: Sun, 30 Jun 2024 18:31:12 -0400
Message-ID: <0bc64fd0-0031-4ca2-b722-ad0d585ea686@taugh.com>
From: John R Levine <johnl@taugh.com>
To: dnsop <dnsop@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <E58B1C4D-1DB0-4123-9C91-02E7FDC6D6EB@icann.org>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com> <879F4E56-9939-4C57-A597-9BB113F92C0D@iana.org> <E58B1C4D-1DB0-4123-9C91-02E7FDC6D6EB@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: LKD7I2KCZ5YOBGWFHTM7DWHNBVJ4W7JJ
X-Message-ID-Hash: LKD7I2KCZ5YOBGWFHTM7DWHNBVJ4W7JJ
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D-AoUg_2nCU4EfkPYjM0svZIqfw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
I took a look and didn't find anything particularly troubling. I agree that adding the new optional DNSKEY element doesn't need a version number. Getting rid of private certificates in favor of a CA signed cert for the HTTPS server makes sense. On the other hand, I don't understand what the point of the new optional DNSKEY field in the XML is. I see that IANA does not currently include it. It's always been possible to retrieve the DNSKEY records from the live root and check that one of them matches the digest in the XML. Is this to provide a way to remember the old DNSKEYs that have been rotated out of the root? A sentence or two describing the motivation would help. The third paragraph of section 3.2 describes a detached CMS signature. While I realize it's there in 7958, I don't see how it provides any security at all. It's signed with an ICANN private key but there's no way I can see to tell the "real" ICANN CA from one that I just made up to sign my fake XML. The useful security is the accredited CA signed HTTPS certificate described in the following paragraph, so I'd take the CMS signature out or at least note that it's trivial to defeat unless you have external knowledge about ICANN's private CA. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… James Mitchell
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… John R Levine
- [DNSOP] Re: Working Group Last Call for draft-iet… Florian Obser
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Peter Thomassen
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman