[IPsec] Comments to the draft-ietf-ipsecme-split-dns-04.txt
Tero Kivinen <kivinen@iki.fi> Tue, 06 February 2018 13:30 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED890129C6E; Tue, 6 Feb 2018 05:30:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4W0_HA5nQZn; Tue, 6 Feb 2018 05:30:00 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FD9B12DA6A; Tue, 6 Feb 2018 05:29:53 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w16DTlBg001202 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 6 Feb 2018 15:29:47 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w16DTlEH019219; Tue, 6 Feb 2018 15:29:47 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23161.44491.871182.608585@fireball.acr.fi>
Date: Tue, 06 Feb 2018 15:29:47 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: draft-ietf-ipsecme-split-dns@ietf.org
CC: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 19 min
X-Total-Time: 21 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/bsXd86kdeVH_MPmNbZEf83CkwSY>
Subject: [IPsec] Comments to the draft-ietf-ipsecme-split-dns-04.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 13:30:03 -0000
While approving the IANA allocations I re-read the document again, and I have some more comments that might make the document more understandable. -- In section 4.1 there is example of example.com, but it would be better to put quotes around it it, i.e., change A Fully Qualified Domain Name used for Split DNS rules, such as example.com, ... with A Fully Qualified Domain Name used for Split DNS rules, such as "example.com", ... as we do in the RFC7296 section 3.5 for ID_FQDN. -- In section 4.2 there is "Digest Type" in the figure, but the list has only item for "DS algorithm". Make those same. -- It is bit misleading to say that "Key Tag", "Algorithm", "DS algoritm" etc can either be 0 or 2/1/1 etc octets long. How does the receiver know what is going to be the length of the "Key Tag" value for example? I assume the intent has been to say that either all the fields are there with fixed lengths, or they are all omitted, meaning the length is 0 for all of them. The current section 4.2 does not clearly indicate that. I would propose following change: ---------------------------------------------------------------------- 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+---------------+---------------+ | | ~ DNSSEC Trust Anchor Data ~ | | +---------------------------------------------------------------+ o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. o Length (2 octets, unsigned integer) - Length of DNSSEC Trust Anchor data. o DNSSEC Trust Anchor Data (0 or more octets) - Either empty or DNSSEC Trust Anchor data in format specified in the the [RFC4034] Section 5.1 (copied here for conveniency): 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-------------------------------+---------------+---------------+ | Key Tag | Algorithm | Digest Type | +-------------------------------+---------------+---------------+ | | ~ Digest ~ | | +---------------------------------------------------------------+ o Key Tag value (2 octets, unsigned integer) - Key Tag as specified in [RFC4034] Section 5.1 o Algorithm (1 octet) - DNSKEY algorithm value from the IANA DNS Security Algorithm Numbers Registry o Digest Type (1 octet) - DS algorithm value from the IANA Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Registry o Digest (length specified by the Digest Type field octets) - The DNSKEY digest as specified in [RFC4034] Section 5.1 in presentation format. ---------------------------------------------------------------------- I.e., split the figure in two pieces, where first one just says we have the DS RDATA inside (or not in case of request and then the length is 0), and then explain the DS RDATA format after that... -- kivinen@iki.fi
- [IPsec] Comments to the draft-ietf-ipsecme-split-… Tero Kivinen
- Re: [IPsec] Comments to the draft-ietf-ipsecme-sp… Paul Wouters
- Re: [IPsec] Comments to the draft-ietf-ipsecme-sp… Tero Kivinen
- Re: [IPsec] Comments to the draft-ietf-ipsecme-sp… Paul Wouters
- Re: [IPsec] Comments to the draft-ietf-ipsecme-sp… Paul Wouters