[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
Michael StJohns <msj@nthpermutation.com> Fri, 09 August 2024 19:16 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C326C14F6A8 for <dnsop@ietfa.amsl.com>; Fri, 9 Aug 2024 12:16:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mgr-4r0bsmdB for <dnsop@ietfa.amsl.com>; Fri, 9 Aug 2024 12:16:44 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46662C14F5E0 for <dnsop@ietf.org>; Fri, 9 Aug 2024 12:16:43 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-44ff6dd158cso14246311cf.3 for <dnsop@ietf.org>; Fri, 09 Aug 2024 12:16:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1723231001; x=1723835801; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=JQ7YjDXj7kwPpdVzJu3RGBFRDhr2z3cYu3tStPFwMKE=; b=uXcKc+48z9i04eavKj2HZYKwo9RahGx8MISdOfmgjmS8x2iGQ0ZpIKc/e/mUziq27p R8Na0H5shd+44PxDQKLOgsyw55sYRzJxwkuekfgMk+624k2Lf6cdKdxeQJnbY4blHSUW xn7BCOvjQI9jH02LUPW268Ysde0Rag4UfiP+oZl/ZrIDdCeEQ8Voi7ZUEz7MH9IiwXvO UP60d3fiEEsvYuWQQZG+sc3pTYvtqUgbXzUs8WUNlc7Q42Uwk2pnu3SJuhzwItRj6ZoE Dhr2GrQjmR13lJMaaUs6t6yMZ0tH5ZjHd3r0sH1AkxiK4herYnVGBzwfchtYlACDl+Ma o6QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723231001; x=1723835801; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=JQ7YjDXj7kwPpdVzJu3RGBFRDhr2z3cYu3tStPFwMKE=; b=sO4zr9iykUBxXOHmmHgwE67WnZ55o+APgRIkQvAzPpjR5lIVYRu12zp8NylXqBDMNd 9YkYwtEsrHjv3uX3o6FGGuCN63CSt3fPXLQwZmD9E80I29g2YGhGxTPC1ZbV/EC1XwRk I8J2qSRg43DTf0W8bzNiAeElXx/3w86LQlnEXokVoA6gpi55+h2/ZmUHxdJL0AwN8A6E iELJBK2C+4cF6i6etQVPmL7yshUiyQ6BPrJeEh3tNngQu/mfrR7ixbSm1lj/L2SCNhN1 2mj/oEhKXQ9f0G08vjfEeJpcVJtnSoL3DemJ/gDlagrWsv9vXmiJc7gTUOGCKJJQnixk iF1g==
X-Gm-Message-State: AOJu0YyL1lM301eT/aF1X2MVmVi5J4iAjcvN4zPbVmk60g3G2zwpcK8D 5/4CkvbhWZP1frtFMW3CwIyE3euWPfrMw9SKkV3ThxAVAeaE20ujDjONLCaV+8Byl4O9+GCi8tU Z
X-Google-Smtp-Source: AGHT+IFBC4gLFNLm4Cycm9fuDX6N24cLxgq20mgQSJQv0y5q8il1T8MOB1VIkb7NGemuHfdFOiXsbw==
X-Received: by 2002:a05:622a:2487:b0:447:f211:43f8 with SMTP id d75a77b69052e-4531253dbd0mr34226881cf.9.1723231001350; Fri, 09 Aug 2024 12:16:41 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4531c1d70besm609771cf.43.2024.08.09.12.16.40 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 09 Aug 2024 12:16:40 -0700 (PDT)
Message-ID: <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com>
Date: Fri, 09 Aug 2024 15:16:39 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: dnsop@ietf.org
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: CNPWEVU6HVDZAPJBPR7IU4I3FTATTDBK
X-Message-ID-Hash: CNPWEVU6HVDZAPJBPR7IU4I3FTATTDBK
X-MailFrom: msj@nthpermutation.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jgQavniIIuQzPUGNL1La4cdWKJ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Two comments - one major and one very minor. Major: I'm sorry for the late comment, but I didn't realize you were planning on starting to provide prospective DS's for unpublished keys. Telling people there's a new trust anchor, and that the live key matches this file is one thing - easy enough for a relying party to match up a few things and accept the TA update. Telling them there's an unpublished key and "trust me, when you see it it will have this digest and you should go ahead now and install it in your trust anchors" seems to be a bit more risky. Looking at the Security Considerations - I don't think the updates to this section made this is sufficiently evident. I'd suggest two things: 1) Talk about the above in the security considerations, and 2) Place a disclaimer in the TA file with similar language about the prospective key material. Minor minor minor nit - feel free to ignore this: The flags field for the DNSKEY is represented in most DNS presentation modes as an unsigned decimal integer - but it's actually a bit field of two bytes. The representation is used mostly because that's what a DNS Zone File used (e.g. either Base64 or a decimal integer) for most non-text fields. Unclear decimal should be used for XML. It may make some sense here to use <xsd:hexBinary { length = 2 }/> is the field type the appropriate mapping here - <Flag>0101</Flag> instead of the decimal 257. Easier to see what bits have been set. Later, Mike On 8/9/2024 2:22 PM, Paul Hoffman wrote: > To everyone who reviewed draft-ietf-dnsop-rfc7958bis in WG Last Call: please carefully review the diff. Based on a very good IETF Last Call review from Petr Špaček, we had to make a significant technical change to the XML format, and we want to be sure that it works for everyone. We also updated the example (of course), and in doing so found a way to simplify the material around the example. > > All comments welcome (until my birthday, August 18). > > --Paul Hoffman > > On Aug 9, 2024, at 11:05, Warren Kumari <warren@kumari.net> wrote: >> >> Dear DNSOP, >> >> During the DNSDIR review of draft-ietf-dnsop-rfc7958bis-03, Petr Špaček identified an issue: if you include the DNSKEY material you also need to include the flags. >> >> The authors have published a new version addressing these changes, as well as addressing more minor comments received during IETF LC. >> >> As this required a change to the XML syntax, I'd like to get the DNSOP WGs review / feedback on these changes. >> >> The IANA is eagerly awaiting this becoming a standard so that they can update their trust anchor with the DNSKEY material - so, if you have any strong objections to these changes, please let me know by end of day (anywhere!) on Aug 18th >> >> Latest version: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ >> Diff from -03: https://author-tools.ietf.org/iddiff?url1=draft-ietf-dnsop-rfc7958bis-03&url2=draft-ietf-dnsop-rfc7958bis-04&difftype=--html >> >> Thanks, >> W > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-leave@ietf.org
- [DNSOP] Request: Review changes - draft-ietf-dnso… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Request: Review changes - d… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: Request: Review changes - draft-ietf-… Andres Pavez
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Peter Thomassen
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns