[DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
Paul Hoffman <paul.hoffman@icann.org> Mon, 08 July 2024 18:08 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64167C1E5913 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 11:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gSPem52ZGNU1 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 11:08:59 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA1EAC1F45B6 for <dnsop@ietf.org>; Mon, 8 Jul 2024 11:08:47 -0700 (PDT)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa4.dc.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 468I2gde020619 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 8 Jul 2024 11:02:42 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 8 Jul 2024 11:08:45 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Mon, 8 Jul 2024 11:08:45 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: John R Levine <johnl@taugh.com>
Thread-Topic: [Ext] [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
Thread-Index: AQHayz1kIj9EWBf6FESgVX+wqt6mW7HtopyA
Date: Mon, 08 Jul 2024 18:08:45 +0000
Message-ID: <FA9FC0A4-1103-4464-9E19-86B36FE27DD4@icann.org>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com> <879F4E56-9939-4C57-A597-9BB113F92C0D@iana.org> <E58B1C4D-1DB0-4123-9C91-02E7FDC6D6EB@icann.org> <0bc64fd0-0031-4ca2-b722-ad0d585ea686@taugh.com>
In-Reply-To: <0bc64fd0-0031-4ca2-b722-ad0d585ea686@taugh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FC2EA41EB3C6A649BDBD4434DE4E9F7D@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-08_09,2024-07-05_01,2024-05-17_01
Message-ID-Hash: T5ILCDX3SRDQUSX54JLCRYYO3UYDBWNI
X-Message-ID-Hash: T5ILCDX3SRDQUSX54JLCRYYO3UYDBWNI
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lJoBcA2wyssBje-DZ97GNkWRY8Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Thanks for the comments. They are all addressed in the revised draft coming out shortly. --Paul Hoffman On Jun 30, 2024, at 15:31, John R Levine <johnl@taugh.com> wrote: > > I took a look and didn't find anything particularly troubling. I agree that adding the new optional DNSKEY element doesn't need a version number. Getting rid of private certificates in favor of a CA signed cert for the HTTPS server makes sense. > > On the other hand, I don't understand what the point of the new optional DNSKEY field in the XML is. I see that IANA does not currently include it. > > It's always been possible to retrieve the DNSKEY records from the live root and check that one of them matches the digest in the XML. Is this to provide a way to remember the old DNSKEYs that have been rotated out of the root? A sentence or two describing the motivation would help. > > The third paragraph of section 3.2 describes a detached CMS signature. While I realize it's there in 7958, I don't see how it provides any security at all. It's signed with an ICANN private key but there's no way I can see to tell the "real" ICANN CA from one that I just made up to sign my fake XML. The useful security is the accredited CA signed HTTPS certificate described in the following paragraph, so I'd take the CMS signature out or at least note that it's trivial to defeat unless you have external knowledge about ICANN's private CA. > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… James Mitchell
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… John R Levine
- [DNSOP] Re: Working Group Last Call for draft-iet… Florian Obser
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Peter Thomassen
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman