Re: [secdir] Review of draft-ietf-dnsext-dnssec-gost-05

[Olafur Gudmundsson <ogud@ogud.com>]

At 18:43 14/01/2010, Samuel Weiler wrote:
>On Thu, 14 Jan 2010, Richard L. Barnes wrote:
>
>>Section 5:
>>This section seems unnecessary, since GOST has only one size for 
>>keys, signatures, and digests.
>
> From the perspective of the DNS world, I think being explicit about 
> this is actually pretty handy.  I see benefit in leaving it.
>
>Other than that, I generally concur with the secdir reviews received 
>to date, particuarly the lowering of the requirement level.
>
>
>Also, while I haven't thoroughly reviewed this draft since April 
>2009 (when the DNSEXT WG was asking whether to adopt it or not), a 
>couple of things jump out, which I'll share now rather than wait for 
>the IETF last call:



>Section 6.2, on NSEC3 support, is a little vague.  I think the doc 
>means "zones signed with the algorithms specified in this document 
>may use either NSEC or NSEC3 and validators supporting this 
>algorithm must support both NSEC and NSEC3".  I'm not sure my 
>wording is much clearer, but a change is needed.
>
>In the IANA considerations, do not use the asterisk.  Just say that 
>this algorithm suite isn't being defined for transaction security mechanisms.

I agree the document should say one way or the other, not supporting
Transaction security is easier on all.


>Also, the IANA considerations section includes the requirement 
>status column, which implicitly assumes that we are advancing 
>draft-ietf-dnsext-dnssec-registry-fixes-01.  I'm not convinced 
>that's going to happen any time soon, particularly given the 
>lackluster response to draft-ogud-iana-protocol-maintenance-words, 
>which it depends on.  So... that needs to be tracked.  It's not 
>necessary to cite registry-fixes, but it probably is necessary to 
>treat it as a dependency for publication purposes.

Good point, will talk to AD about this before the document
goes to the IESG after IETF LC ends.

         Olafur