[dnsext] Fwd: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18
"Richard L. Barnes" <rbarnes@bbn.com> Fri, 25 May 2012 22:04 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89F1121F8822; Fri, 25 May 2012 15:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1337983456; bh=bBaTNb7FJePrT8BDhdLK8hG8hLf9lIvaqgk8vnvANU8=; h=From:Date:References:To:Message-Id:Mime-Version:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=TQCmjG71wpr/t+biJZpz5cXM9wPue5TQufiDTw5LE1U5BS+yK0R85qHgWci4JnKVt 7aqbkPXKwORLzOnRe884t3TdcfZZaC2cBqyoD69ap6fqsw177L6xzQHbY62uc98dz3 PCLoAsrluL7X4Fss4iU9J0wFSOEC0A4XTS1Fghpk=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6AF21F8822 for <dnsext@ietfa.amsl.com>; Fri, 25 May 2012 15:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-pVtuQXADlM for <dnsext@ietfa.amsl.com>; Fri, 25 May 2012 15:04:15 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 3536221F8820 for <dnsext@ietf.org>; Fri, 25 May 2012 15:04:15 -0700 (PDT)
Received: from ros-dhcp192-1-51-6.bbn.com ([192.1.51.6]:56794) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1SY2bo-000601-7x for dnsext@ietf.org; Fri, 25 May 2012 18:03:44 -0400
From: "Richard L. Barnes" <rbarnes@bbn.com>
Date: Fri, 25 May 2012 18:04:14 -0400
References: <EBFB2D2E-78FF-46D6-B4FF-1F57FB8D769B@bbn.com>
To: dnsext@ietf.org
Message-Id: <6A06CD40-37F9-482A-8DED-53EA9ED3E3FE@bbn.com>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: [dnsext] Fwd: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Paul suggested I forward this to the WG. --Richard Begin forwarded message: > From: "Richard L. Barnes" <rbarnes@bbn.com> > Subject: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18 > Date: May 25, 2012 5:02:28 PM EDT > To: IESG <iesg@ietf.org>, ietf@ietf.org > Cc: draft-ietf-dnsext-dnssec-bis-updates@tools.ietf.org > > I am the assigned Gen-ART reviewer for this draft. For background on > Gen-ART, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Please resolve these comments along with any other Last Call comments > you may receive. > > Document: draft-ietf-dnsext-dnssec-bis-updates-18 > Reviewer: Richard Barnes > Review Date: May-25-2012 > IETF LC End Date: Not known > IESG Telechat date: Jan-05-2012 > > Summary: Almost ready, couple of questions > > MAJOR: > > 4.1. > It's not clear what the threat model is that this section is designed to address. If the zone operator is malicious, then it can simulate the necessary zone cut and still prove the non-existence of records in the child zone. > > 5.10. > I find the recommendation of the "Accept Any Success" policy troubling. It deals very poorly with compromise (and other roll-over scenarios): Suppose there are two trust anchors, one for example.com and one for child.example.com. If the private key corresponding to the TA for child.example.com is compromised, but the validator continues to trust it, this negates the benefit provided by the parent (example.com) facilitating a rollover. Suggest an alternative policy, "Highest Signer": Out of the set of keys configured as TAs, the validator only uses a key as a TA (for purposes of validation) if there does not exist a DNSSEC path from it to any other TA. This policy seems like more work to enforce (because you have to do more backward chaining), but ISTM that the validator should have the necessary DNSSEC records anyway, so it's just a matter a couple of quick checks. > > > _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Fwd: Gen-ART review of draft-ietf-dnsext… Richard L. Barnes
- Re: [dnsext] Gen-ART review of draft-ietf-dnsext-… Andrew Sullivan