Re: [secdir] volunteer for draft-rafiee-intarea-cga-tsig

[Sam Hartman <hartmans-ietf@mit.edu>]

I took a look at draft-rafiee-intarea-cga-tsig.

The idea is generally sound although I did not fully debug the algorithm
as discussed below. Unfortunately, the draft needs a lot of work before
it's ready.

Comments:

Section 3 contains a number of claims regarding protecting the exchanges
between the resolver and client. Is tsig actually used for DNS
resolution or just for update/zone transfer?
Section 3 should be reviewed to determine whether all the use cases are
in fact applicable for use of tsig.

The draft really needs help from someone with an eye towards
abstraction.
Section 4 repeates much of the key generation from the CGA specification
and repeats a lot of detail from the TSIG specification as well.
The rest of the draft tends to suffer from this as well.

Unfortunately, that approach--repeating (and sometimes changing) text
from CGA and TSIG is highly problematic. It makes it hard to evaluate
correctness of this specification and to identify all the differences
between this specification and the existing specifications.  In
addition, it makes it hard to understand how this specification might
interact with existing extensions to CGAs and existing or future
extensions to DNS-TSIG.

Please ask someone from the DNS community to review the shortening of
the TSIG exchange and the removal of the TKEY RR type.

The general textual clarity could be significantly improved.

I don't think this draft is ready for adoption, but I do think that the
ideas expressed here could be a valid basis for future work.

--Sam