[secdir] Sec-Dir review of draft-ietf-dnsext-dnssec-algo-signal-09

"Moriarty, Kathleen" <kathleen.moriarty@emc.com> Thu, 18 April 2013 14:18 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DCFC421F8B8F; Thu, 18 Apr 2013 07:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4VLwNzoKINQe; Thu, 18 Apr 2013 07:18:56 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com []) by ietfa.amsl.com (Postfix) with ESMTP id EA1FA21F8F1C; Thu, 18 Apr 2013 07:18:55 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com []) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r3IEIqGu019998 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Apr 2013 10:18:54 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com []) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Thu, 18 Apr 2013 10:18:29 -0400
Received: from mxhub20.corp.emc.com (mxhub20.corp.emc.com []) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r3IEIRFT028988; Thu, 18 Apr 2013 10:18:27 -0400
Received: from mx15a.corp.emc.com ([]) by mxhub20.corp.emc.com ([]) with mapi; Thu, 18 Apr 2013 10:18:27 -0400
From: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
To: "draft-ietf-dnsext-dnssec-algo-signal.all@tools.ietf.org" <draft-ietf-dnsext-dnssec-algo-signal.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Date: Thu, 18 Apr 2013 10:18:25 -0400
Thread-Topic: Sec-Dir review of draft-ietf-dnsext-dnssec-algo-signal-09
Thread-Index: Ac48P5cjrqow/LjWTeWCd8nRS60WGg==
Message-ID: <F5063677821E3B4F81ACFB7905573F24DAA98FA1@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_F5063677821E3B4F81ACFB7905573F24DAA98FA1MX15Acorpemccom_"
MIME-Version: 1.0
Cc: "steve@shinkuro.com" <steve@shinkuro.com>, "scottr.nist@gmail.com" <scottr.nist@gmail.com>
Subject: [secdir] Sec-Dir review of draft-ietf-dnsext-dnssec-algo-signal-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2013 14:18:57 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: This document specifies a way for a client to signal its digital
   signature and hash algorithm knowledge to a cache or server.  The intent is for it to be used by cache or server administrators to track evolving algorithm support.

Detail: The draft seems straightforward and is just a method for clients to notify the server of supported algorithms.  The only other attack I can think of, that is not mentioned, would be a denial of service.  You may want to add this to the security considerations and any notes on how it can be prevented (connections or logs).

Best regards,