[Gen-art] Fwd: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18
"Richard L. Barnes" <rbarnes@bbn.com> Fri, 25 May 2012 22:03 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC2BA21F859B for <gen-art@ietfa.amsl.com>; Fri, 25 May 2012 15:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QvNn9LRD0TJ for <gen-art@ietfa.amsl.com>; Fri, 25 May 2012 15:03:53 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id B131621F85C9 for <gen-art@ietf.org>; Fri, 25 May 2012 15:03:53 -0700 (PDT)
Received: from ros-dhcp192-1-51-6.bbn.com ([192.1.51.6]:56794) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1SY2bS-000601-5P for gen-art@ietf.org; Fri, 25 May 2012 18:03:22 -0400
From: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 25 May 2012 18:03:52 -0400
References: <EBFB2D2E-78FF-46D6-B4FF-1F57FB8D769B@bbn.com>
To: gen-art@ietf.org
Message-Id: <B5AA25FB-945D-4888-AB7B-90F9142A65F2@bbn.com>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: [Gen-art] Fwd: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2012 22:03:58 -0000
Forgot to copy gen-art. Begin forwarded message: > From: "Richard L. Barnes" <rbarnes@bbn.com> > Subject: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18 > Date: May 25, 2012 5:02:28 PM EDT > To: IESG <iesg@ietf.org>, ietf@ietf.org > Cc: draft-ietf-dnsext-dnssec-bis-updates@tools.ietf.org > > I am the assigned Gen-ART reviewer for this draft. For background on > Gen-ART, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Please resolve these comments along with any other Last Call comments > you may receive. > > Document: draft-ietf-dnsext-dnssec-bis-updates-18 > Reviewer: Richard Barnes > Review Date: May-25-2012 > IETF LC End Date: Not known > IESG Telechat date: Jan-05-2012 > > Summary: Almost ready, couple of questions > > MAJOR: > > 4.1. > It's not clear what the threat model is that this section is designed to address. If the zone operator is malicious, then it can simulate the necessary zone cut and still prove the non-existence of records in the child zone. > > 5.10. > I find the recommendation of the "Accept Any Success" policy troubling. It deals very poorly with compromise (and other roll-over scenarios): Suppose there are two trust anchors, one for example.com and one for child.example.com. If the private key corresponding to the TA for child.example.com is compromised, but the validator continues to trust it, this negates the benefit provided by the parent (example.com) facilitating a rollover. Suggest an alternative policy, "Highest Signer": Out of the set of keys configured as TAs, the validator only uses a key as a TA (for purposes of validation) if there does not exist a DNSSEC path from it to any other TA. This policy seems like more work to enforce (because you have to do more backward chaining), but ISTM that the validator should have the necessary DNSSEC records anyway, so it's just a matter a couple of quick checks. > > >
- [Gen-art] Fwd: Gen-ART review of draft-ietf-dnsex… Richard L. Barnes