[secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-11
Donald Eastlake <d3e3e3@gmail.com> Mon, 28 September 2020 02:51 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 965CF3A0CD4; Sun, 27 Sep 2020 19:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snL3FF50OtEu; Sun, 27 Sep 2020 19:51:09 -0700 (PDT)
Received: from mail-il1-x142.google.com (mail-il1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04DC83A0CD3; Sun, 27 Sep 2020 19:51:08 -0700 (PDT)
Received: by mail-il1-x142.google.com with SMTP id e5so5008627ilr.8; Sun, 27 Sep 2020 19:51:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=THCHk4hScgROLOkjQQMbZWHllRs1wmKgEMLqAUZm/l8=; b=cCoHqMgLVfW/GT2EjSFdqMdz+69w1XDB5hRlHesia/M6B4bBR3G6OrXWkRwVuk8rfD 9VxYgQtbCrHfM2gnYV7ehaJRxUETr2mJzNay2q1I97gZm2bLhobYcRYi1zEp50yw6JZQ mWhhx3tTe6saO6YcrLgh70J4ITtfI8NsnQnkaZGMuZM2Fen1WZVvJhzkaK77oa74AnyG 6SdD09jqm4oIDgAV0MAMWWrkmG7R7T4l9/xsBuxY78CrpZfdl2iXHhjEuurzxe3q/Zpj uJmGDIMhQopbjcXDVTkTGvX3hdZkoKOZYHPUKSAPwvYu2P8uWk7c6SKjKNdKAGNFEUbb qS2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=THCHk4hScgROLOkjQQMbZWHllRs1wmKgEMLqAUZm/l8=; b=Qq0DZqZeyOftIdpuTKqG4qdVIr/Rx023BnsbslysZ4C4VjJusT7Vy5M88MsiBmR/gN l9e/QHWeTVuRWdjMSYHvwXFiPXChrGQgUgon6v46F4Lf7yRf03WA9ystV9BdjOVTm8Nk r5Igu6Hy+8Ww17CQwW0CzoF0tkKVdxzu5ewH7wTpOHNdxM4FRw+W+nfFiLBOMKPepSSL WLCbsmrMHv2x7vEoVAkdot2/P44zfCC/5xH8Cl+Mn7vdB84eSwBNTU9iJbHXtRsrtqg+ bEFBZczlEuPqTaa0/kAcRSCYIZcNet93gNUs6Hs0IkB9dbq561gtCBmaNiAuHECY2I+F wDyw==
X-Gm-Message-State: AOAM533v+SUwXmrW8EBZTOf5BE2++UjgTx+BtJ0T2zRbb4O00Ik0TdxN dr/1adAZ7eAwqOEW319iDiwjc7X2d7yiTKX/BYrf6c9iZNJ0zA==
X-Google-Smtp-Source: ABdhPJwP2gDKjmal5KgXKdEzb+gOKZ40Qeb/a/5yRYOm3KkDiwGHvYx8i/HUX/vQfHkLcL4clcBES+jJIxDUuuVPYaw=
X-Received: by 2002:a05:6e02:49:: with SMTP id i9mr8689642ilr.40.1601261467911; Sun, 27 Sep 2020 19:51:07 -0700 (PDT)
MIME-Version: 1.0
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sun, 27 Sep 2020 22:50:56 -0400
Message-ID: <CAF4+nEGq3Ez+qMVf1JKxLqBNxb7OA-7Y=-OV4OSHNkVYzA+qoA@mail.gmail.com>
To: draft-ietf-dnsop-dns-zone-digest.all@ietf.org, "iesg@ietf.org" <iesg@ietf.org>
Cc: secdir <secdir@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/8GvAHKqSKqwjgGM27Y8zNq9K_jI>
Subject: [secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 02:51:11 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with Nits. Overall, I am pretty happy with the state of the draft. Essentially all of the comments from my review of -09 have been resolved and I don't see any problem with other changes that have been made. However, on reviewing -11, I did come up with a few things as listed below. Section 2, last sentence right before the Section 2.1 header, should "recommended" be all capital? Something I didn't notice in my first review: Section 2.2.1, ZONEMD already covers the SOA that is in the zone and so includes the zone serial in its Digest. Thus it seems a little odd to say that the field is needed to make the DNS response meaningful. I'm not suggesting removing the field or anything... Perhaps some wording change like the following: OLD It is included here in order to make DNS response messages of type ZONEMD meaningful. Without the serial number, a stand-alone ZONEMD digest has no association to any particular instance of a zone. NEW It is included here to clearly bind the ZONEMD RR to a particular version of the zone's content. Without the serial number, a stand-alone ZONEMD digest has no obvious association to any particular instance of a zone. Section 3.1, last sentence just before the Section 3.2 header: This says ZONEMD RRs are excluded from digest calculation but in Section 2.1 it says that non-apex ZONEMD RRs are treated are ordinary RRs and included. I think that 2.1 is correct and suggest inserting the word "apex" so the last sentence of Section 3.1 starts with "Since apex ZONEMD RRs are excluded ..." Although less important, "apex" probably should also be inserted before "ZONEMD" in the fourth and sixth bullet points of Section 3.3.1.1. Section 5.3, the last sentence, after the table, is no longer needed, since that information is given above the table, so it should be deleted. Section 6.2: Need to expand KSK on first use or alternatively, since it is the only use, just not use the acronym at all and spell it out in full. Section 6.3: Size estimate for ZONEMD RR seems a bit low, perhaps based on algorithms in earlier versions of the draft with shorter digests. I would say 55 to 85 octets would be a better current estimate. Section 6.4: In the second paragraph, I think you mean "private use hash algorithm code points", not "private use hash algorithms". That's it. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com
- [secdir] SECDIR review of draft-ietf-dnsop-dns-zo… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake