[DNSOP] Re: Secdir last call review of draft-ietf-dnsop-zoneversion-06
"Wessels, Duane" <dwessels@verisign.com> Thu, 06 June 2024 19:53 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6809C1840D6; Thu, 6 Jun 2024 12:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oi6T-7juGQoF; Thu, 6 Jun 2024 12:53:30 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 940C9C1840E2; Thu, 6 Jun 2024 12:53:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8414; q=dns/txt; s=VRSN; t=1717703610; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=0xZHZl/0Cjz0QI6Q0FmGUFgOPGcZhpIyNbByq6xg+tU=; b=PiOvB1fSMKjr2i2efetwI1af+0UsdWJxg/xahUbK5mwhmKRfbR/tY7aX pdwgvCdyuawl/+e+1U8XQaAWjuag8LoXCT+e3f0AniryjWK4qHJ0SYOvN q56HHkV9brCxRN9uznj4TSF8mXQKXgOxtgAimKouTbpZSqsCnPB4TsCdp nYIYO60//S9xm4SLCTNxPs529RUN1NOCf87DoIJHNgzTdRVtfKp2YBlgC hGbq/h5Bl5gj2w7BuhYW19cYCLQjGHqEFXfjMP3R9aMDGRIPycSFI74JS tyRGSGQgvlJfU2ImEWAr0ZA8Cgz5MxlQ6EQ8juWcHnRbfTSOgqZHG7pbL A==;
X-CSE-ConnectionGUID: ZocClY8VTHO8XCdszOVnNQ==
X-CSE-MsgGUID: LZjQ6clVR56h6+dYiX9fPg==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:cuAPSqnAj08tkManhfN6vbDo5gygIURdPkR7XQ2eYbSJt16W5kVWj iJDADrXfqbVPH21IIo1b5D1rB1Y6NKQjINT/DAc7nRsSn8MsZXebTjyBkqhZy2edJebF0lp4 ZQXMobLcs1vRSSF90j3Y7K6o3RwjP2FS+KmBrLINHx9HVQ+QSt7gBw8y79ki9Nmj9XkWwjlV b/aqtXHPF6u0iJ1NWRT86GIs0wqp/X9vjoEo0YzDRxulAa2ey49UMhHdMldVkfQQpVIBrz9A OHI16n/8mLW/hwgEM/jmbH+Kufj6FfvVTRi8UG6J5WfqhheujRgleEjN/tZbkxMk3OFnt9ww 9hXqdq7TgJxE+6UEgzVAhlEDzkseqZP87LdZ2OutMWO002AeHzphPB2D0BxMYwX++16G31Fr +cYISoAYguGhue7y7v9QfNw3qwfwLLQ0P8iVgtIlXeBZcsOQYzfW76YophHwyh2isFBHP3Tf dZfYj1qKz/4WEXl0/zqS8qUdUxI7kUTCAa0329534JrpTC78SRxzKT1K4iSPcOVWoNZn0mZr W/c4yLyBRRdLsSWjCeMqhqQapT0cVTGtPg6SPvgnsNCgEGP3ndBT1oJSkT9rfi2i0WzQc4ZI EsRvTA2pO0v/RSBJuURJCZU10NoxDZAHYI4LtAH1e2t9kb1y12VDDkPRTIeMYQv5JBnSDEmi QfXk4u1WG1l67fMQizHqu7E/Di/B3MYfDQIDcMmoanpwPG4+d1u0UifJjpHOPTo5jEgMWiom 1hmlABn2vNOy5dNj/jmlbz+q2rEjoDTSQIo7RngUGug7wdoDKaofIXABWLztJ6sF67HCAHR1 JQ4s5LGtrxWU8nTzXflrNglR9lF2d7UaFUwvnYyR/HNxxz1k1a/cIZZ5i1JJUsBGq4sZT/zb UbPjhha7ZlVMWHCRfcfj1WZUplCIQDITLwJZ9iMBjZ8SsEZmDyvpUmCUXWtM1XFyyDAp4lkY MvGLpz8ZZotIf8PIDKeH4/x2Jd1nnxunTu7qZrTl3xL2pLGDJKZpCts3PJjoYnV4YvdyDg5/ eqzOOO4zB50VNyuXBX31t4jBlwRP18FA7bP/pk/mu6remKKGUkLMdmI/pUMS9Q/2bpekf3Qu HixHFFC01y5jnrCQemIQik7LuqwBtAm8Cl9YX1E0VWAghDPZa6j86oEbJYzZpE5+fZi1v97S b8OfMDo7vFnEWuaoWVCMcaVQIpKUCapvFyFOxSfPWY/Id1sdg35q9HccV66nMUJJm/t3Sckm JW71grER9wOQgl4He7ZbfuuyxW6un11sPl/VEfJOPFSdVnito9wJETZgvksJNkkKBjfyH2dz Qn+KRsCrOfR5o447NeMiaafqJ/sAex4E1RXBXLa6rDwPC3e1muu3YEGV/yHFRjZXXjova6rY eF9zvzgPrsAhlkijmZnO7xxy/sh4db//+Uf1Rp+WnDKdBGhDfVqOH/fm9dVrasLzbhc0eerZ n+yFhBhEe3hEKvY/JQ5fmLJsszrOSkopwTv
IronPort-HdrOrdr: A9a23:3B9FWKOqK0KTwsBcTuKjsMiBIKoaSvp037By7TEUdfRUGvb1qy ncpoV96faUskdqZJhOo7C90cW7K080sKQFhLX5Xo3SITUO2lHYT72KhLGKq1bd8m/Fh4xgPM xbHJSWfeeQMbEMt6jHCWeDfurIi+P3lpxAzd2utkuE3WlRGtldBilCe32mLnE=
X-Talos-CUID: 9a23:Wxh8wmPvNi9Zv+5Dai5s30olSv4ZUlqN/FzcOF2fN2BPcejA
X-Talos-MUID: 9a23:3eXpmw69xtCxG7ldKLPGEK4sxoxM0aaXVksJr69b5cnadiBBOgfMggy4F9o=
X-IronPort-AV: E=Sophos;i="6.08,219,1712620800"; d="p7s'346?scan'346,208,346";a="37529747"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.37; Thu, 6 Jun 2024 15:53:25 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.037; Thu, 6 Jun 2024 15:53:25 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Shawn Emery <shawn.emery@gmail.com>
Thread-Topic: [EXTERNAL] Secdir last call review of draft-ietf-dnsop-zoneversion-06
Thread-Index: AQHat96U/ufunzZUIEi219NNTFxn9bG7aaYA
Date: Thu, 06 Jun 2024 19:53:24 +0000
Message-ID: <708F130C-9ADE-40AA-AE1F-CD61F0C8FDB2@verisign.com>
References: <171765694296.11836.1686812500783472443@ietfa.amsl.com>
In-Reply-To: <171765694296.11836.1686812500783472443@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3731.700.6.1.1)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_1C23C117-41A0-4546-88C0-D83DBFE5A1AE"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Message-ID-Hash: HCMPMIC7R2QIT45YSLRRKFTLVOSLN5V5
X-Message-ID-Hash: HCMPMIC7R2QIT45YSLRRKFTLVOSLN5V5
X-MailFrom: dwessels@verisign.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "secdir@ietf.org" <secdir@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-zoneversion.all@ietf.org" <draft-ietf-dnsop-zoneversion.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Secdir last call review of draft-ietf-dnsop-zoneversion-06
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dAncYvjg-qtTriRdzaDgejdIhZ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Shawn, Thank you for the review and comments. We’ve fixed the editorial comments you identified. Regarding “decimal integer” — we use that phrase only when describing the presentation format (versus, say, hexadecimal) so we think it is appropriate. However, we would defer to the advice or suggestion of the RFC editor or other experts on this, if they have an opinion. DW > On Jun 5, 2024, at 11:55 PM, Shawn Emery via Datatracker <noreply@ietf.org> wrote: > > Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. > > Reviewer: Shawn Emery > Review result: Has Nits > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These comments > were written primarily for the benefit of the security area directors. Document > editors and WG chairs should treat these comments just like any other last call > comments. > > This draft specifies an extension in DNS for providing zone version information > for the associated query name. This data allows callers to better correlate > the queried name to a zone version that it belongs, in order to better diagnose > synchronicity issues. > > The security considerations section does exist and describes that this EDNS > extension does not protect against an active attacker and therefore should only > be used for diagnostic purposes only. The section continues, if zone version > information is to protected against an active attacker then the user should use > TSIG (RFC 8945) or SIG(0) (RFC 2931) to authenticate and provide integrity > protection. In addition, there are no new privacy issues introduced by the new > extension given that version information is already provided publicly. I agree > with the aforementioned assertions. > > General Comments: > > What's an unsigned decimal integer vs. unsigned integer? > > Editorials Comments: > > s/and and/and/ > s/correspond do/correspond to the/ > >
- [DNSOP] Secdir last call review of draft-ietf-dns… Shawn Emery via Datatracker
- [DNSOP] Re: Secdir last call review of draft-ietf… Wessels, Duane
- [DNSOP] Re: Secdir last call review of draft-ietf… Shawn Emery
- [DNSOP] Re: [Last-Call] Secdir last call review o… touch@strayalpha.com
- [DNSOP] Re: [Last-Call] Secdir last call review o… Shawn Emery