Re: [Gen-art] Gen-ART telechat review of draft-ietf-dnsop-delegation-trust-maintainance-13.txt (updated)
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 10 June 2014 20:24 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1587E1A0442 for <gen-art@ietfa.amsl.com>; Tue, 10 Jun 2014 13:24:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqX6b29zYKe3 for <gen-art@ietfa.amsl.com>; Tue, 10 Jun 2014 13:24:51 -0700 (PDT)
Received: from mail-pb0-x22a.google.com (mail-pb0-x22a.google.com [IPv6:2607:f8b0:400e:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BADB1A042D for <gen-art@ietf.org>; Tue, 10 Jun 2014 13:24:51 -0700 (PDT)
Received: by mail-pb0-f42.google.com with SMTP id md12so6650568pbc.1 for <gen-art@ietf.org>; Tue, 10 Jun 2014 13:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=IMKbvUsO/kUKajZ+B2pOagP2AJ3We2XRZddGNz418vc=; b=kGVqD75onAvKYkfgkaI50hX4hFJjnPjEsoCLKodOha+dmIRUeucpbiScw2zKMMQbse bezl2lK2xX29VKcfw/CXZt1xBMmSRdh83fNGEQ7wYgtSBnNVtOKU11Ci8y5uzHWhT0Ey J5LLcJ1WVk5Yso5uYSzcWhwKHmYlIYDCVaRxUJa340LB2UeDT4hpUAlfCBDgwa0vBf06 H0/0DP12ikwvDpZPt4YYvdOUdLgqdeiAqf2vU7ZfJy02DZM8X4f1YzsIE6tqymHJvNuM BojB4DREHKdyde+a7uIbtUzAwDawQMuv5DiFL5TkzN7stWyJNZBMJtIoP0Brw9BQWBGZ epMA==
X-Received: by 10.68.221.42 with SMTP id qb10mr14349684pbc.65.1402431890840; Tue, 10 Jun 2014 13:24:50 -0700 (PDT)
Received: from [192.168.178.23] (163.193.69.111.dynamic.snap.net.nz. [111.69.193.163]) by mx.google.com with ESMTPSA id ry10sm17776706pab.38.2014.06.10.13.24.48 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Jun 2014 13:24:50 -0700 (PDT)
Message-ID: <53976994.3060107@gmail.com>
Date: Wed, 11 Jun 2014 08:24:52 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Olafur Gudmundsson <ogud@ogud.com>, Jari Arkko <jari.arkko@ericsson.com>
References: <5391238C.9090706@gmail.com> <57E7A2FA-A306-42B1-96EB-6112F38E5F36@ericsson.com> <6373E522-4086-4AFB-8E0F-7256145720C9@ogud.com> <190937F1-5CA8-4401-94A7-5A9AB6C8184F@ericsson.com> <596229B7-AAFB-42D6-A9B5-1083475AB99D@ogud.com>
In-Reply-To: <596229B7-AAFB-42D6-A9B5-1083475AB99D@ogud.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/Gshry9xp7wSjXnapCy11BMjGjZ0
Cc: draft-ietf-dnsop-delegation-trust-maintainance.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>
Subject: Re: [Gen-art] Gen-ART telechat review of draft-ietf-dnsop-delegation-trust-maintainance-13.txt (updated)
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 20:24:57 -0000
OK, the -14 version is fine IMHO. (Jari, a few of my points were explained by email so did not result in text changes.) Just one thing - you don't need to acknowledge my review, but if you do, please s/Carpender/Carpenter/. Regards Brian On 11/06/2014 05:14, Olafur Gudmundsson wrote: > Posted > you welcome > > Olafur > > On Jun 10, 2014, at 1:07 PM, Jari Arkko <jari.arkko@ericsson.com> wrote: > >> Thanks! >> >> On 10 Jun 2014, at 17:57, Olafur Gudmundsson <ogud@ogud.com> wrote: >> >>> Jari, >>> we will push one out today >>> >>> Olafur >>> >>> >>> >>> On Jun 10, 2014, at 8:30 AM, Jari Arkko <jari.arkko@ericsson.com> wrote: >>> >>>> Thanks for the review, Brian, and thank you Warren and Olafur for answers. I do agree with the remaining issues as listed by Brian below; can I expect a new draft revision to address these? >>>> >>>> Jari >>>> >>>> On 06 Jun 2014, at 05:12, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: >>>> >>>>> I am the assigned Gen-ART reviewer for this draft. For background on >>>>> Gen-ART, please see the FAQ at >>>>> < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. >>>>> >>>>> Please wait for direction from your document shepherd >>>>> or AD before posting a new version of the draft. >>>>> >>>>> Document: draft-ietf-dnsop-delegation-trust-maintainance-13.txt >>>>> Reviewer: Brian Carpenter >>>>> Review Date: 2014-06-06 >>>>> IETF LC End Date: 2014-05-26 >>>>> IESG Telechat date: 2014-06-12 >>>>> >>>>> Summary: Almost ready >>>>> -------- >>>>> >>>>> Comment: >>>>> -------- >>>>> >>>>> These are my Last Call comments on version -13. The authors responded >>>>> with helpful explanations, and I understand that they plan some >>>>> corresponding changes before publication. >>>>> >>>>> Minor issues: >>>>> ------------- >>>>> >>>>>> 1. Introduction >>>>> ... >>>>>> Any manual process is susceptible to mistakes and / or errors. >>>>> Also susceptible to social engineering or malicious leaks, I think. >>>>> There's a fairly strong security argument for getting humans out >>>>> of the process. >>>>> >>>>>> 3. CDS / CDNSKEY (Child DS / Child DNSKEY) Record Definitions >>>>> ... >>>>>> it is up to the consumer of the records to >>>>>> translate that into the appropriate add/delete operations in the >>>>>> provisioning systems >>>>> Not clear here whether this is expected to be an automated or manual process. >>>>> >>>>>> If no CDS / CDNSKEY RRset is present in child, >>>>>> this means that no change is needed. >>>>> Not clear here how we ensure that update is performed exactly once. See below. >>>>> >>>>>> 4. Automating DS Maintenance With CDS / CDNSKEY records >>>>>> >>>>>> CDS / CDNSKEY resource records are intended to be "consumed" by >>>>>> delegation trust maintainers. The use of CDS / CDNSKEY is optional. >>>>> I think that could be OPTIONAL. >>>>> >>>>>> The child SHOULD publish both CDS and CDNSKEY resource records. >>>>> Given the previous sentence, I think this needs to be >>>>> >>>>> If the child publishes either the CDS or the CDNSKEY resource record, it >>>>> SHOULD publish both. >>>>> >>>>>> 4.1. CDS / CDNSKEY Processing Rules >>>>> ... >>>>>> If there are no CDS / CDNSKEY RRset in the child, this signals that >>>>>> no change should be made to the current DS set. This means that, >>>>>> once the child and parent are in sync, the Child DNS Operator MAY >>>>>> remove all CDS and CDNSKEY resource records from the zone. >>>>> Does that mean the the child MAY/SHOULD/MUST monitor what the >>>>> parent is publishing in order to automate this process? If not, you >>>>> are calling for a manual operation. (The text in section 5 >>>>> is repetitious, by the way, but still doesn't clarify this.) >>>>> >>>>>> If any these conditions fail the CDS / CDNSKEY resource record MUST >>>>>> be ignored. >>>>> Silently? Should this be logged? Any DOS potential here? Should use of >>>>> these RRs be rate-limited in both child and parent to avoid any DOS risk? >>>>> >>>>>> 6. Parent Side CDS / CDNSKEY Consumption >>>>> I don't think you specify what the parent should do if it receives >>>>> both a CDS and a CDNSKEY and they are inconsistent (in violation >>>>> of section 4). Yes, it's a corner case but Murphy's law always applies. >>>>> >>>>>> 9. Security Considerations >>>>> ... >>>>>> While it may be tempting, this SHOULD NOT be used for initial >>>>>> enrollment of keys since there is no way to ensure that the initial >>>>>> key is the correct one. If is used, strict rules for inclusion of >>>>>> keys such as hold down times, challenge data inclusion or similar, >>>>>> ought to be used, along with some kind of challenge mechanism. >>>>> Shouldn't that "ought to" be MUST? Weak protection against a bogus >>>>> initial key really seems like a "Crypto Won't Save You Either" poster >>>>> child. >>>>> >>>>> Nits: >>>>> ----- >>>>> >>>>> (from the shepherd's write-up) >>>>> "The document references the document draft-ietf-dnsop-dnssec-key-timing, which had >>>>> been approved for publication but never followed through on, and is shown to be expired." >>>>> >>>>> This is an informational reference and could probably be deleted without harm. >>>>> >>>>> "Additionally, the document references RFC2119 key word "NOT RECOMMENDED" without referencing it. " >>>>> >>>>> That is a well known bug in RFC 2119 itself. The citation can be fixed as per >>>>> http://www.rfc-editor.org/errata_search.php?eid=499 >>>>> >>>>> _______________________________________________ >>>>> Gen-art mailing list >>>>> Gen-art@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/gen-art > >
- [Gen-art] Gen-ART telechat review of draft-ietf-d… Brian E Carpenter
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Jari Arkko
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Olafur Gudmundsson
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Jari Arkko
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Olafur Gudmundsson
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Brian E Carpenter
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Olafur Gudmundsson