[DNSOP] comments on draft-dupont-dnsop-rfc2845bis-01
神明達哉 <jinmei@wide.ad.jp> Wed, 07 March 2018 18:22 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96E0E12E048 for <dnsop@ietfa.amsl.com>; Wed, 7 Mar 2018 10:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZf7_XKBG-ZM for <dnsop@ietfa.amsl.com>; Wed, 7 Mar 2018 10:22:30 -0800 (PST)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5011E12E87C for <dnsop@ietf.org>; Wed, 7 Mar 2018 10:22:30 -0800 (PST)
Received: by mail-wr0-x233.google.com with SMTP id v65so3144345wrc.11 for <dnsop@ietf.org>; Wed, 07 Mar 2018 10:22:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=DsUVIWLy+8jIg/247irwjNFG+bB/J4dQpnYqp6Iznqw=; b=bir57ETHoaIswNEveJrVpJ3lemg451kzgZ7xQFTUZXCYpRx5p1A5Avv35YURzYF7su m0G5yJMyfnjO4HG9lAWXy1dF7AfVdD+LNwmx7icu+OAQ0DlZYWH8kKDWji2xLq+3d/8X sMdXyQTgCOEZngnnJsiaS8y1GkZus24Vmxo3nYjnyQjux1JzdKvvOrVWjdMI0bIH5jcf ztivxD5WHty9kIvszvnyCVa1fVXcIkDwtqr1BDMsQLrNS3iVzHUyVPUssj+RPYwb1yJL EJmu0H4f7ceGg6fdSoQY8wLUp/aacmqCCbBlRxxOITM8bjIMfthCUAEip7m9h1lCWIaY PX5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=DsUVIWLy+8jIg/247irwjNFG+bB/J4dQpnYqp6Iznqw=; b=IBdMsqoYQoE7cQVNc1DFg0fmKWlnScMYCNj7SfjZn77zehvpwu9Vl9xylH3XyZe0DK ii5eEbR/kjNUZDor8v9Sa0BeP9TQCDB3GuAk9WS2DjBdns65hTvlL+uqbG1L9b2hrK2X JdxzgbFaC5dzs5z+gBFJyrWJwzxYzU0XnN+ATc3L85Wpk5LyAlefSnR+ulVwEJPsvUKi gY5nz/TQungwtp7KDshXUqFRTLiYYcxOUfdaEfIEO7cc+noTZ/CHlWaafRTJ/bbuVCJ/ rFMo6KdmaptlYl36w9+fuZreLjn6zAU+NIhSMMorRcOXt7vaIiT2JHxdOEL019zpM0/q 5eGg==
X-Gm-Message-State: APf1xPARJNQYAVbflLpLNXxZABwE1zF+RvY3vMnqFnKYFJev4eYZkEbX 40ib14Bh3omUCviTPa9NCqMKHzybDuAQ9A5kg0TuLPgE
X-Google-Smtp-Source: AG47ELtBOLIyJi35GID8SiT2sk+6w8xm7pRYKuKFB1dv3sxELquUJ+Eh75iJsR/rDe1NurJPjTl6bwLiwnf3fONVvzU=
X-Received: by 10.223.160.67 with SMTP id l3mr18586075wrl.201.1520446948601; Wed, 07 Mar 2018 10:22:28 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.223.134.1 with HTTP; Wed, 7 Mar 2018 10:22:28 -0800 (PST)
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Wed, 07 Mar 2018 10:22:28 -0800
X-Google-Sender-Auth: yycfO1dDXqxLT22h-3ls3z2rRH0
Message-ID: <CAJE_bqfZL-KeKTyeJL5cfRZvffeuf=vmxLbv7_+zMr+_NtULnw@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YbyYX79GJO8BF8QT5GLy3nSnLOk>
Subject: [DNSOP] comments on draft-dupont-dnsop-rfc2845bis-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 18:22:32 -0000
I have a couple of high-level comments on rfc2845bis-01:
- Section 11.1 and Appendix B says "the MAC must be considered to be
invalid until it was validated". This is fine, but it was not
immediately clear to me specifically how RFC2845 was updated based
on this principle until I actually compared the RFC and the draft
closely and found the key difference in the "Sever TSIG checks"
section:
RFC2845:
[...] The server MUST perform the following checks in the
following order, check KEY, check TIME values, check MAC.
rfc2845bis-01:
[...] The server MUST perform the following checks in the
following order, check Key, check MAC, check Time values, check
Truncation policy.
I suggest clarifying the relationship between the principle and the
actual protocol change either in Section 11.1 or in Section 6.5, or
in both.
- Regarding the author list (noted in Appendix B):
Authors of original documents were moved to Acknowledgments
(Appendix A).
if not done yet, I suggest contacting the authors of the previous RFCs to
confirm this is okay. Previously I experienced a case where an
author of the original RFC was not comfortable with being removed
from the author list in a bis doc.
And, one minor typo in Section 4.3:
* Time Signed - the The Time Signed field specifies seconds
since 00:00 on 1970-01-01 UTC.
'The' should be removed.
--
JINMEI, Tatuya