[DNSOP] comments on draft-muks-dnsop-dns-message-checksums
神明達哉 <jinmei@wide.ad.jp> Mon, 02 November 2015 04:31 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F941B4515 for <dnsop@ietfa.amsl.com>; Sun, 1 Nov 2015 20:31:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8mC1rpmljPTj for <dnsop@ietfa.amsl.com>; Sun, 1 Nov 2015 20:31:57 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 121591B4514 for <dnsop@ietf.org>; Sun, 1 Nov 2015 20:31:57 -0800 (PST)
Received: by ioll68 with SMTP id l68so133824029iol.3 for <dnsop@ietf.org>; Sun, 01 Nov 2015 20:31:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=zPN2E2Cgzv0NbeN0EEROXKAAueSZRfoWopD+45z9uQ8=; b=rwI/gX7BvZYYVAvhUfAW5u9nJ/F7LPX/EqfBQh6ao50wzIaqVovdQqmRgbyb+zP3yY Q9uLTmtQ7Q69g1O8jef/yYo6qpouBZTk2K0SMYWHWF4VFoo93YEe3aLrcbNbbgwC4uy8 S9AgglzcIsOrZWTkYFkSRTeSbUEVAhM2aea7eHUxSobS2vVJcFOEaYFdO66/ihiBgtFv JxmUS59XAwgaANhGB3ljqfhWbee8eMBsmsGXii+BLrWYfMtwGK/MsE77/R4u9N8JBuY+ dD1qsXAYfofdVesuhXe42HVfzqC2BhMGOoKwhUekJ9slB+N4MwERvapMxQbdaOKV68UV eI8A==
MIME-Version: 1.0
X-Received: by 10.107.159.72 with SMTP id i69mr23981936ioe.4.1446438716518; Sun, 01 Nov 2015 20:31:56 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.140.71 with HTTP; Sun, 1 Nov 2015 20:31:56 -0800 (PST)
Date: Mon, 02 Nov 2015 13:31:56 +0900
X-Google-Sender-Auth: j1RO1v63D5CU0X03tg9u84FaLSI
Message-ID: <CAJE_bqeuBrpp4X=N-Sm+zLs2sOSkgD1Fu0rPkY+L2RNNA1kbzw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/xgBji5Hh6ZNU7reiaJtLBcbh5gY>
Subject: [DNSOP] comments on draft-muks-dnsop-dns-message-checksums
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 04:31:58 -0000
I've read draft-muks-dnsop-dns-message-checksums-01. I think it's quite well written. I have a couple of comments about the draft: 1. I wonder whether this should be merged to draft-ietf-dnsop-cookies, as both try to solve the same/similar problems with quite similar approaches (note: I believe I understand the difference, and I'm not saying dnsop-cookies will make dns-message-checksums unnecessary). 2. Regarding the possibility of downgrade attack, you might want to a perhaps obvious (and weak) counter measure: cache the availability of the feature per peer and use it as a hint for further queries. -- JINMEI, Tatuya