IETF Logo Mail Archive

[Gen-art] Gen-ART telechat review of draft-ietf-dnsop-delegation-trust-maintainance-13.txt (updated)

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 06 June 2014 02:12 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 361931A03A8 for <gen-art@ietfa.amsl.com>; Thu, 5 Jun 2014 19:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOpXPzyoAjHp for <gen-art@ietfa.amsl.com>; Thu, 5 Jun 2014 19:12:28 -0700 (PDT)
Received: from mail-pb0-x22a.google.com (mail-pb0-x22a.google.com [IPv6:2607:f8b0:400e:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A8551A0383 for <gen-art@ietf.org>; Thu, 5 Jun 2014 19:12:28 -0700 (PDT)
Received: by mail-pb0-f42.google.com with SMTP id md12so1959621pbc.29 for <gen-art@ietf.org>; Thu, 05 Jun 2014 19:12:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=uBFpMN0IvjZZifVUBHSzHBNZ629/dQNZS1R1GZkQibM=; b=SoECshk2H7czzp7c9a6aEdjfOngwgCpHBwmJR5G2UzQrImFkSoshge3VLfhRXl/P5i /KGDH2KgM2gEhmv0gXimDsmw2EtJsGq0gIUnIYtFoiYT+4vHbjbv0hClnptB2WkGDKZV HgD4wJS5Dw5mHEJEux729jI/WxB+4LYceN5IfIvC7j9MNA5SRIPtRhtp6A4tOEcR2bf/ WQPRlws865i+Td7IwbxS8RvnARsWwwz96qtJaCZ4duKeUFUU94Lm5aYthmvfUTyrnr7O 3hVYJh7vRi65kvXX1xPhCb8h74wWjfzMfeBRlcGaKjTU6602KURIjvhf8+IqdvlJstb5 6oLg==
X-Received: by 10.68.164.67 with SMTP id yo3mr3189133pbb.104.1402020741460; Thu, 05 Jun 2014 19:12:21 -0700 (PDT)
Received: from [192.168.178.23] (13.199.69.111.dynamic.snap.net.nz. [111.69.199.13]) by mx.google.com with ESMTPSA id su8sm28978213pbc.72.2014.06.05.19.12.19 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Jun 2014 19:12:20 -0700 (PDT)
Message-ID: <5391238C.9090706@gmail.com>
Date: Fri, 06 Jun 2014 14:12:28 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: draft-ietf-dnsop-delegation-trust-maintainance.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/sch--hPx_vsJMr6nk8B9lFuVXzA
Subject: [Gen-art] Gen-ART telechat review of draft-ietf-dnsop-delegation-trust-maintainance-13.txt (updated)
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 02:12:30 -0000

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
< http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please wait for direction from your document shepherd
or AD before posting a new version of the draft.

Document: draft-ietf-dnsop-delegation-trust-maintainance-13.txt
Reviewer: Brian Carpenter
Review Date: 2014-06-06
IETF LC End Date: 2014-05-26
IESG Telechat date: 2014-06-12

Summary:  Almost ready
--------

Comment:
--------

These are my Last Call comments on version -13. The authors responded
with helpful explanations, and I understand that they plan some
corresponding changes before publication.

Minor issues:
-------------

> 1. Introduction
...
> Any manual process is susceptible to mistakes and / or errors.

Also susceptible to social engineering or malicious leaks, I think.
There's a fairly strong security argument for getting humans out
of the process.

> 3. CDS / CDNSKEY (Child DS / Child DNSKEY) Record Definitions
...
> it is up to the consumer of the records to
> translate that into the appropriate add/delete operations in the
> provisioning systems

Not clear here whether this is expected to be an automated or manual process.

> If no CDS / CDNSKEY RRset is present in child,
> this means that no change is needed.

Not clear here how we ensure that update is performed exactly once. See below.

> 4. Automating DS Maintenance With CDS / CDNSKEY records
>
> CDS / CDNSKEY resource records are intended to be "consumed" by
> delegation trust maintainers.  The use of CDS / CDNSKEY is optional.

I think that could be OPTIONAL.

> The child SHOULD publish both CDS and CDNSKEY resource records.

Given the previous sentence, I think this needs to be

 If the child publishes either the CDS or the CDNSKEY resource record, it
 SHOULD publish both.

> 4.1. CDS / CDNSKEY Processing Rules
...
> If there are no CDS / CDNSKEY RRset in the child, this signals that
> no change should be made to the current DS set.  This means that,
> once the child and parent are in sync, the Child DNS Operator MAY
> remove all CDS and CDNSKEY resource records from the zone.

Does that mean the the child MAY/SHOULD/MUST monitor what the
parent is publishing in order to automate this process? If not, you
are calling for a manual operation. (The text in section 5
is repetitious, by the way, but still doesn't clarify this.)

> If any these conditions fail the CDS / CDNSKEY resource record MUST
> be ignored.

Silently? Should this be logged? Any DOS potential here? Should use of
these RRs be rate-limited in both child and parent to avoid any DOS risk?

> 6. Parent Side CDS / CDNSKEY Consumption

I don't think you specify what the parent should do if it receives
both a CDS and a CDNSKEY and they are inconsistent (in violation
of section 4). Yes, it's a corner case but Murphy's law always applies.

> 9. Security Considerations
...
> While it may be tempting, this SHOULD NOT be used for initial
> enrollment of keys since there is no way to ensure that the initial
> key is the correct one.  If is used, strict rules for inclusion of
> keys such as hold down times, challenge data inclusion or similar,
> ought to be used, along with some kind of challenge mechanism.

Shouldn't that "ought to" be MUST? Weak protection against a bogus
initial key really seems like a "Crypto Won't Save You Either" poster
child.

Nits:
-----

(from the shepherd's write-up)
"The document references the document draft-ietf-dnsop-dnssec-key-timing, which had
been approved for publication but never followed through on, and is shown to be expired."

This is an informational reference and could probably be deleted without harm.

"Additionally, the document references RFC2119 key word "NOT RECOMMENDED" without referencing it. "

That is a well known bug in RFC 2119 itself. The citation can be fixed as per
http://www.rfc-editor.org/errata_search.php?eid=499

v2.23.0 | Report a Bug | By Email