Re: [Gen-art] Gen-ART telechat review of draft-ietf-dnsop-delegation-trust-maintainance-13.txt
Warren Kumari <warren@kumari.net> Fri, 06 June 2014 02:59 UTC
Return-Path: <warren@kumari.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D35A1A03E7 for <gen-art@ietfa.amsl.com>; Thu, 5 Jun 2014 19:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yh42zmcl8AS4 for <gen-art@ietfa.amsl.com>; Thu, 5 Jun 2014 19:59:04 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EA181A03ED for <gen-art@ietf.org>; Thu, 5 Jun 2014 19:58:55 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id k48so2169032wev.3 for <gen-art@ietf.org>; Thu, 05 Jun 2014 19:58:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=m3N00a7mlB4GEp9C9RnCVB1ug2qPjOx/vMM6Y5dwXjA=; b=dzr+5iMwqjQfMzRZrAFC+6S/F+DahsSFz3D5HPYcLi2NLrRq1/ws2WTYPjeik2yNtk 3p73obkiX4CDfWxXkL9miqgZCnTAgLTnov1Y28nRVMAZ9Jf8y2l8QOnr05+ZTgMyNi4Q z8KINMmMhey703rzMoXnqTUcZF2GTliTG4FSNQKxFs+s/V51lbqIg+mVE2eXZKffmjM4 k54TsgoKVHzuxEh1TwV+0+ICC1j78QWOcW4vswIXn3M5LUj1iLmFulhXXO+nqBy3eWFi 98bohTm0MJvdu83Dzz3aqrWCoUiRl7jV/uTXuT1NXMKhwSqv8aKJvimBO6emJvxVFKCV EXxA==
X-Gm-Message-State: ALoCoQn4y+QuatCUfgK/V5B23dZyksXyNkFC5D7QcguphKmAIKUzZg+ICCgSpZ2wQ1/OPyN/aMSy
MIME-Version: 1.0
X-Received: by 10.194.84.101 with SMTP id x5mr2393525wjy.52.1402023527963; Thu, 05 Jun 2014 19:58:47 -0700 (PDT)
Received: by 10.194.62.70 with HTTP; Thu, 5 Jun 2014 19:58:47 -0700 (PDT)
In-Reply-To: <539120B0.9090603@gmail.com>
References: <5391111A.7000207@gmail.com> <CAHw9_i+1UpqxNnH=+XaQ5rj-wyAEEybsKsBNtWmG1kVCdoEbEQ@mail.gmail.com> <CAHw9_i+2siS=6E9bej4nyEz8RmrcfsLYKZ_NEqKWeaz=wxaqBQ@mail.gmail.com> <539120B0.9090603@gmail.com>
Date: Thu, 05 Jun 2014 19:58:47 -0700
Message-ID: <CAHw9_iJzzmYkyooGmad2e_9_t2K6=ssSSOsb8B5rSxHAHT4sbg@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bb04dce5a07ec04fb220a17"
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/kWVa6pWDEr8mlSOMyezACM0ItrI
Cc: "draft-ietf-dnsop-delegation-trust-maintainance.all@tools.ietf.org" <draft-ietf-dnsop-delegation-trust-maintainance.all@tools.ietf.org>, General Area Review Team <gen-art@ietf.org>
Subject: Re: [Gen-art] Gen-ART telechat review of draft-ietf-dnsop-delegation-trust-maintainance-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 02:59:08 -0000
On Thursday, June 5, 2014, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > Totally bizarre. I found them in the trash on my gmail account, > but no trace of them in my local Gen-ART inbox. > > Presumably there was some finger trouble. I apologise, Nah, no worries, mate.. W > and please > watch this space for a corrected review. > > Regards > Brian > > On 06/06/2014 13:37, Warren Kumari wrote: > > I replied 6 days ago, Olafur followed up 3 days ago. > > > > Maybe you have us kill-filled? :-) > > > > W > > > > On Thursday, June 5, 2014, Warren Kumari <warren@kumari.net > <javascript:;>> wrote: > > > >> Brian, can you please re-check? > >> > >> Olafur and I both replied -- I've just gotten off a plane and so cannot > >> easily resend, will do tomorrow if you didn't get our mails... > >> > >> W > >> > >> On Thursday, June 5, 2014, Brian E Carpenter < > brian.e.carpenter@gmail.com <javascript:;> > >> <javascript:_e(%7B%7D,'cvml','brian.e.carpenter@gmail.com');>> wrote: > >> > >>> I am the assigned Gen-ART reviewer for this draft. For background on > >>> Gen-ART, please see the FAQ at > >>> < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > >>> > >>> Please wait for direction from your document shepherd > >>> or AD before posting a new version of the draft. > >>> > >>> Document: draft-ietf-dnsop-delegation-trust-maintainance-13.txt > >>> Reviewer: Brian Carpenter > >>> Review Date: 2014-06-06 > >>> IETF LC End Date: 2014-05-26 > >>> IESG Telechat date: 2014-06-12 > >>> > >>> Summary: Almost ready > >>> -------- > >>> > >>> Comment: > >>> -------- > >>> > >>> These are my Last Call comments. I have seen no response. > >>> > >>> Minor issues: > >>> ------------- > >>> > >>>> 1. Introduction > >>> ... > >>>> Any manual process is susceptible to mistakes and / or errors. > >>> Also susceptible to social engineering or malicious leaks, I think. > >>> There's a fairly strong security argument for getting humans out > >>> of the process. > >>> > >>>> 3. CDS / CDNSKEY (Child DS / Child DNSKEY) Record Definitions > >>> ... > >>>> it is up to the consumer of the records to > >>>> translate that into the appropriate add/delete operations in the > >>>> provisioning systems > >>> Not clear here whether this is expected to be an automated or manual > >>> process. > >>> > >>>> If no CDS / CDNSKEY RRset is present in child, > >>>> this means that no change is needed. > >>> Not clear here how we ensure that update is performed exactly once. See > >>> below. > >>> > >>>> 4. Automating DS Maintenance With CDS / CDNSKEY records > >>>> > >>>> CDS / CDNSKEY resource records are intended to be "consumed" by > >>>> delegation trust maintainers. The use of CDS / CDNSKEY is optional. > >>> I think that could be OPTIONAL. > >>> > >>>> The child SHOULD publish both CDS and CDNSKEY resource records. > >>> Given the previous sentence, I think this needs to be > >>> > >>> If the child publishes either the CDS or the CDNSKEY resource record, > it > >>> SHOULD publish both. > >>> > >>>> 4.1. CDS / CDNSKEY Processing Rules > >>> ... > >>>> If there are no CDS / CDNSKEY RRset in the child, this signals that > >>>> no change should be made to the current DS set. This means that, > >>>> once the child and parent are in sync, the Child DNS Operator MAY > >>>> remove all CDS and CDNSKEY resource records from the zone. > >>> Does that mean the the child MAY/SHOULD/MUST monitor what the > >>> parent is publishing in order to automate this process? If not, you > >>> are calling for a manual operation. (The text in section 5 > >>> is repetitious, by the way, but still doesn't clarify this.) > >>> > >>>> If any these conditions fail the CDS / CDNSKEY resource record MUST > >>>> be ignored. > >>> Silently? Should this be logged? Any DOS potential here? Should use of > >>> these RRs be rate-limited in both child and parent to avoid any DOS > risk? > >>> > >>>> 6. Parent Side CDS / CDNSKEY Consumption > >>> I don't think you specify what the parent should do if it receives > >>> both a CDS and a CDNSKEY and they are inconsistent (in violation > >>> of section 4). Yes, it's a corner case but Murphy's law always applies. > >>> > >>>> 9. Security Considerations > >>> ... > >>>> While it may be tempting, this SHOULD NOT be used for initial > >>>> enrollment of keys since there is no way to ensure that the initial > >>>> key is the correct one. If is used, strict rules for inclusion of > >>>> keys such as hold down times, challenge data inclusion or similar, > >>>> ought to be used, along with some kind of challenge mechanism. > >>> Sh
- [Gen-art] Gen-ART telechat review of draft-ietf-d… Brian E Carpenter
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Warren Kumari
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Warren Kumari
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Brian E Carpenter
- Re: [Gen-art] Gen-ART telechat review of draft-ie… Warren Kumari