[secdir] Secdir review of draft-ietf-dnsop-rfc2845bis-06
Magnus Nyström <magnusn@gmail.com> Mon, 20 January 2020 05:37 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0087B120099; Sun, 19 Jan 2020 21:37:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iXjAq2bXmssW; Sun, 19 Jan 2020 21:37:49 -0800 (PST)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 205F9120077; Sun, 19 Jan 2020 21:37:49 -0800 (PST)
Received: by mail-pl1-x62f.google.com with SMTP id p9so12682908plk.9; Sun, 19 Jan 2020 21:37:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=RqoCdaT2c8CHQ+a71GVT93zReDfs5i1jk6HnKOTcSrc=; b=I8C2sL38ETjI+CSowaxqdvkNn93g0nf8/XXguma2NHwpkhZ5f439F/WKWv0G2OMOyC FnKGPkNYYBsXB5UqikGyyrhVHIl5lQhB/F4M3vAnmUuTr0J+2nG/NzZzqRvpgc98ZJxX iFm498/q1BaPq4uL1tZBZqkoHmKFWeAHJ6dj5zuaOx81MmOQQ2NmqJsjs7Q4wZ5QC2uZ 123jpXgsKGLLDi0lFik4VE7AKhhkTonXW2OjXr7LOpefRDjXkDkT9thg0Lcw+yWuVO8h x/lL9Bdovw+azJG5mKFbJhow/PCBx5UIAaA1ZnrJGWf9ggGP810ej8ePJyrV/Qpntqje SpoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=RqoCdaT2c8CHQ+a71GVT93zReDfs5i1jk6HnKOTcSrc=; b=QofKejtzrZKDlfIO6IiY2MmA2QUdbT0ly7du2cHgprzPQDwbhJfiRKF9Hlr7KSB2Xz rZNIK9nG4LubGcEuq11RWTuYBpvp07ZkQGGQvxfaF2+ovmf6eSJUHBQURJRx55n1AQip rOX+27auuZ/00fTxJDIgzsKYSwI86N0IJ+2TQKR1vakC4hznpY8oE+N1KR6iMHQMJRab nrsokJbP6l7UpJv0F1ARtrp+tn+gGiG3ntPwK1fIU4jq0KjLNZyicLX58xzhSfw9Azr0 ewMZUv47XGb54FHF4Lx7ggpzV7HmlIggzV4k1XkCsc6LOzb/wPzm6mSqSqHNBPmMZI/s tcZQ==
X-Gm-Message-State: APjAAAXm8N0VEspYO9ZmABW27SbzWSktUNJoesM35TwfWRpKD2aY6bYK yRSX/Mxe1IQMNC7/oJgStbpIEvrPftiDetwXdHrPMNnP
X-Google-Smtp-Source: APXvYqx5C6i4FJaUqFy4Rjx32+5ZcfCucTSg1DIxYagqusOjK/zNPMbYl4JUNvFbBG4erCqf9bqUTccNrsF137M0oy4=
X-Received: by 2002:a17:90a:98d:: with SMTP id 13mr21904016pjo.102.1579498668467; Sun, 19 Jan 2020 21:37:48 -0800 (PST)
MIME-Version: 1.0
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com>
In-Reply-To: <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com>
From: Magnus Nyström <magnusn@gmail.com>
Date: Sun, 19 Jan 2020 21:37:36 -0800
Message-ID: <CADajj4YxgdNXkWX7dLP0nBDWXLSKFa8M_KWWCPCgfCibYtWkAw@mail.gmail.com>
To: secdir@ietf.org, draft-ietf-dnsop-rfc2845bis@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000eaba2059c8bb105"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-2OKlVBYai6MQUWvsUODpGpS6Go>
Subject: [secdir] Secdir review of draft-ietf-dnsop-rfc2845bis-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 05:37:51 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a mechanism to provide authenticity and integrity of DNS transactions such as update requests. My main comment about this document is that it recommends use, and mandates support, of HMAC-SHA1, even truncated HMAC-SHA1. In light of recent cryptanalysis results, e.g., - https://eprint.iacr.org/2020/014.pdf - https://www.mitls.org/downloads/transcript-collisions.pdf it seems to me that an update to RFC 2845 would be better off not to recommend (or even mandate) use of SHA-1 but rather stronger hash functions such as SHA-256. Likewise, the statement "longer [authentication values] are believed to be stronger" is potentially misleading as it is the strength of the algorithm, and not the length of its output, that ultimately determines its security. Thanks, -- Magnus
- [secdir] Secdir review of draft-ietf-jmap-mail-14 Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-jmap-mai… Neil Jenkins
- [secdir] Secdir review of draft-ietf-ipsecme-impl… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-ipsecme-… Benjamin Kaduk
- Re: [secdir] FW: Secdir review of draft-ietf-ipse… Daniel Migault
- [secdir] Secdir review of draft-ietf-dnsop-rfc284… Magnus Nyström
- [secdir] Secdir review of draft-iesg-nomcom-eligi… Magnus Nyström
- [secdir] (Early) Secdir review of draft-ietf-netc… Magnus Nyström
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Magnus Nyström
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Magnus Nyström
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- [secdir] Secdir review of draft-ietf-quic-qpack Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-quic-qpa… Magnus Nyström
- [secdir] Secdir review of draft-ietf-detnet-tsn-v… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-detnet-t… Balázs Varga A
- [secdir] Secdir review of draft-ietf-idr-bgp-flow… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Juan Alcaide (jalcaide)
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Juan Alcaide (jalcaide)
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Magnus Nyström
- [secdir] Secdir review of draft-ietf-drip-rid-07 Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-drip-rid… Robert Moskowitz
- [secdir] Secdir review of draft-ietf-acme-authori… Magnus Nyström
- [secdir] Secdir review of draft-rosen-rfcefdp-upd… Magnus Nyström
- [secdir] Secdir review of draft-ietf-avtcore-rtp-… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-avtcore-… Michael.Faller@gd-ms.com