IETF Logo Mail Archive

[DNSOP] Re: Gunter Van de Velde's No Objection on draft-ietf-dnsop-rfc8624-bis-09: (with COMMENT)

Wes Hardaker <wes@hardakers.net> Tue, 20 May 2025 20:10 UTC

Return-Path: <wes@hardakers.net>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E319E2ADFDD3; Tue, 20 May 2025 13:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=hardakers.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDOGz-2xT2IY; Tue, 20 May 2025 13:10:24 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [107.220.113.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BE2042ADFDC3; Tue, 20 May 2025 13:10:24 -0700 (PDT)
Received: from localhost (unknown [10.0.0.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id AF0A82003B; Tue, 20 May 2025 13:10:22 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.hardakers.net AF0A82003B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardakers.net; s=default; t=1747771822; bh=edgqVFGIwrcc0by9caUfWKIAT3FZcKdU/0CPyFLi2Do=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=ZM9LfJSTkFrsBu/xXb/wJeY94KXdXfGSM6c/hQ6DNuY3UUHGO8ZOF75hYmzxHcylI m/O6cd/DuFNiBk/go/GENSVbZBFEXFobwuXcujyVtedUjI209vd4XKv+YKSEK5ygko XnVYg+m/SHGpZ+PK9NsEg5XhnQ3R2IwONcrc+5WU=
From: Wes Hardaker <wes@hardakers.net>
To: Gunter Van de Velde via Datatracker <noreply@ietf.org>
In-Reply-To: <174679325247.1296472.14515127530508932504@dt-datatracker-58d4498dbd-6gzjf> (Gunter Van de Velde via Datatracker's message of "Fri, 09 May 2025 05:20:52 -0700")
References: <174679325247.1296472.14515127530508932504@dt-datatracker-58d4498dbd-6gzjf>
Date: Tue, 20 May 2025 13:10:22 -0700
Message-ID: <ybltt5fm4b5.fsf@wd.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: HE427BX7AFRSTPVH5XSZB4V2DSBSFWIZ
X-Message-ID-Hash: HE427BX7AFRSTPVH5XSZB4V2DSBSFWIZ
X-MailFrom: wes@hardakers.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, Gunter Van de Velde <gunter.van_de_velde@nokia.com>, draft-ietf-dnsop-rfc8624-bis@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Gunter Van de Velde's No Objection on draft-ietf-dnsop-rfc8624-bis-09: (with COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/f71-ag8GHWUtYjKWNG9qY5SUZ4c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Gunter Van de Velde via Datatracker <noreply@ietf.org> writes:

Thanks for the review Gunter,

Comments/Responses inline:

> 21         RFC8624 to an IANA registry.  This is done both to allow the list to
> 22         be more easily updated, and to allow the list to be more easily
> 23         referenced.  Future extensions to this registry can be made under
> 24         new, incremental update RFCs.  This document also incorporates the
> 25         revised IANA DNSSEC considerations from [RFC9157].
> 
> GV> The text here mentions a 'list'. The list was not mentioned before and made
> me wonder what 'list' is intended?

Good point, I changed the first "list" to "list of requirements" which
is really what was being talked about (technically it was referring to
the list of requirements).

> 124        Implementations need to meet both high security expectations as well
> 125        as provide interoperability between various vendors and with
> 126        different versions.
> 
> GV> Maybe swap the word vendor with implementations? one vendor can have
> multiple procedure implementations that may not interop well together.. been
> there and done that :-/
> 
> s/vendors/implementations/

Done

> 142        algorithm.  As such this document also adds new recommendations about
> 143        which algorithms should be deployed regardless of implementation
> 144        status.
> 
> GV> Just a quick question, is it fair to assume that the current recommendation
> is based on existing operational experience? In other words, do we expect these
> recommendations to hold up well as deployment matures and stronger
> cryptographic options become available?

I would expect that to be the case generally, but don't think we should
explicitly state that it will always be the case.  I can see corner
cases where sudden algorithm weaknesses cause the need for a rapid shift
regardless of current deployment/implementations/etc.

> 358        This document makes no modifications to the security of the existing
> 359        protocol or recommendations described in [RFC8624].  Thus, the
> 360        security considerations remain the same, which we quote below.
> 
> GV>  Just a personal and minor stylistic comment. I tend to avoid using the
> word "we" in formal procedure specifications, as it can be a bit ambiguous.
> It’s not always clear who "we" refers to, the authors, the working group, or
> perhaps the IETF as a whole. Feel free to disregard this if you prefer, but you
> might consider rephrasing slightly to remove "we" and give the text a more
> specification-style tone.

I changed this to:

   This document makes no modifications to the security of the
   existing protocol or recommendations described in [RFC8624].  Thus,
   the security considerations remain the same.  The remainder of this
   section restates that document's text.

Hopefully this works?
-- 
Wes Hardaker                                     
USC/ISI

v2.31.3 | Report a Bug | By Email | System Status