Re: [DNSOP] Review of draft-ietf-dnsop-rfc2845bis-02.txt

Mukund Sivaraman <muks@mukund.org> Wed, 28 November 2018 08:31 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 070FE130E4A for <dnsop@ietfa.amsl.com>; Wed, 28 Nov 2018 00:31:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQLUvFWSw65Y for <dnsop@ietfa.amsl.com>; Wed, 28 Nov 2018 00:30:58 -0800 (PST)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id 93FAF12D4ED for <dnsop@ietf.org>; Wed, 28 Nov 2018 00:30:58 -0800 (PST)
Received: from jurassic (unknown [27.5.196.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 7DF4832C0C0A; Wed, 28 Nov 2018 08:30:56 +0000 (UTC)
Date: Wed, 28 Nov 2018 14:00:53 +0530
From: Mukund Sivaraman <muks@mukund.org>
To: dnsop@ietf.org
Message-ID: <20181128083053.GA25561@jurassic>
References: <154263221088.5303.2024597771109478075@ietfa.amsl.com> <20181119134534.GA1450@jurassic>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181119134534.GA1450@jurassic>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kvEUMag3hmod0PNMlmwpaFAQZXY>
Subject: Re: [DNSOP] Review of draft-ietf-dnsop-rfc2845bis-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2018 08:31:02 -0000

On Mon, Nov 19, 2018 at 07:15:34PM +0530, Mukund Sivaraman wrote:
> Hi Stephen, Francis
> 
> On Mon, Nov 19, 2018 at 04:56:50AM -0800, internet-drafts@ietf.org wrote:
> > 
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > This draft is a work item of the Domain Name System Operations WG of the IETF.
> > 
> >         Title           : Secret Key Transaction Authentication for DNS (TSIG)
> >         Authors         : Francis Dupont
> >                           Stephen Morris
> >                           Paul Vixie
> >                           Donald E. Eastlake 3rd
> >                           Olafur Gudmundsson
> >                           Brian Wellington
> > 	Filename        : draft-ietf-dnsop-rfc2845bis-02.txt
> > 	Pages           : 26
> > 	Date            : 2018-11-19


When investigating a TKEY related implementation bug, I notice that the
text in RFC 3645 is not very clearly written about prohibiting TSIG
signed responses for some error conditions (e.g., section 4.1.3 where
the writing seems to assume paragraph contexts). I recommend that you
check the various cases in RFC 3645 to make sure the protocol doesn't
allow inclusion of arbitrary or invalid request MAC in response TSIG MAC
computation, and state this so in the bis draft.

In any case, the text in the draft has to be updated for the relaxation
in RFC 3645 section 2.2. It wouldn't be so bad if the two RFCs can be
merged as part of this bis work.

		Mukund