Re: [secdir] secdir review of draft-ietf-dnsop-edns-key-tag-03

"Wessels, Duane" <dwessels@verisign.com> Thu, 12 January 2017 18:32 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E8D12945F; Thu, 12 Jan 2017 10:32:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.2
X-Spam-Level:
X-Spam-Status: No, score=-5.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uj73j_UGGflR; Thu, 12 Jan 2017 10:32:58 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D78991294E9; Thu, 12 Jan 2017 10:32:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1501; q=dns/txt; s=VRSN; t=1484245968; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=H1NKrUj/HbWkxe89Zw1aO8MchSy5ZZeuGpe+R2ZACXo=; b=fUpa/QdL6fHiGSebVJn0D3Uiiq9h0M5KaqBR8TjvhyPVwd4Ocn23/uAw 10LhctdDfQWC3gyzoWcMFWKpqoyc6/X+jHHzSDH/rYicrymgmFeEXeFJ0 vUtabcgYTsw/00n88s6yIr3nSnMgx5pxVQGIkX4VxBvfSulpq4wWkEirD 659oXr5OBxEgXes2+SjH49HB5ckwEt7scn+alvjEehQJxTzeDXZ8BBfkZ 9MVVYEcTaenp+qmSYhpOZHphXzl6NSYGKhMYtl+l074wSr6ELgfpFAK+w avBWqZT1eAD4lvQarX9N0+pWd0VRhkpcc3TxBdHVbtMWoEPev527it/Zq A==;
X-IronPort-AV: E=Sophos;i="5.33,219,1477958400"; d="scan'208";a="1174980"
IronPort-PHdr: =?us-ascii?q?9a23=3AyelGLBMHP86Q6f5gMGQl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0K/z/osbcNUDSrc9gkEXOFd2CrakV16yN6+u5ADBIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbx/IA+4oAnNucUanJZuJ6kswRbVv3VEfP?= =?us-ascii?q?hby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnD?= =?us-ascii?q?UBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulS?= =?us-ascii?q?wKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcXDFDDIyh?= =?us-ascii?q?dYsCF+oPM/hFoYnhqVUArhW+CgutBOzzxTFHiWT73bEj0+QkDQ3KwBAsE8wIvX?= =?us-ascii?q?/JrNv1LqASUeWtwaXGzTrMcehW2Szj54jMaRAtueyHU7xtccXLz0kgCQ3JhUiX?= =?us-ascii?q?pIP4MTKayP8Ns3OF4OpkTuKikHAnpB9rojiu3ccsi4bJhoQPxl/Y8iV5xZ84KN?= =?us-ascii?q?ulQ0B4ed6pCIZcuz2AO4drQM4vTXtktDs6x7AIo5K3YicHxZs/yxLCd/CLaZWE?= =?us-ascii?q?7xDtWeqLPDt1hGxpdKiwihu07EOu0PfzVtOu31ZPtidFl97MuW0T2BHL8ciHT+?= =?us-ascii?q?d9/l+m2TaSywDf8uFELl4wlarcM5Mu2aQwlpwOvUTHES72nV/5jK6SdkUj5+io?= =?us-ascii?q?9/jrbqj8qp+CKYB0kAD+Mr8vmsywB+Q0KBQBX2+e+eik1b3j+1P2QKlSg/Erjq?= =?us-ascii?q?XVqo3WKMYVq6KjHgNY0ogu5wyhAzqp39kUhXwHI0hEeBKDgYjpIVbOIPXgAPii?= =?us-ascii?q?jVWjjixrx+vYMb3lGZXANWbDn6n7fbZ88E5cyQUzzdZF651IDbEBJer/WlXtu9?= =?us-ascii?q?zAEh85Lwu0zv76B9VnzIweV36PDraYMKzMrV+I6PsjLPSKZI8Ovzb9M+Ep6ODz?= =?us-ascii?q?gn8/gl8RZKqp0oUXaXyhAvRpOUqZbWD2jdcFFWcHpQs+Q/L2iF2MSzJTYGyyX6?= =?us-ascii?q?0k7DEhFI2mFZvDRpyqgLGZ3Se0AIZWZm9dB1CND3joa4uEV+0LaCKILc9riiYE?= =?us-ascii?q?WqS5S489yRGusxf3y6F5IeXI5yIYtIjj2cN05+LNiREy+yZ4D8OH02GCV2t0hH?= =?us-ascii?q?8HRycq3KBjpkxw0kyD3rR/g/xECdxe/PNJUwciNZHC1ex6F9DyWgXcfteGSFam?= =?us-ascii?q?Xs+qDi02TtI0kJcyZBM3IN6lkgyL8GziILIRk63BTMgv+aXAw1DxNt5w0WrG07?= =?us-ascii?q?Quj0VgScxKYz6InKl6okLsCpXSnkGC0+6GaK0a0WSFoGucwHGVsUVDeBB9S6Te?= =?us-ascii?q?XH8ZIEDRqIKqtQv5U7ayBOF/YUN6wsmYJ/4PM4WxgA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2G7AQA2y3dY//SZrQpdHAEBBAEBCgEBFwEBBAEBCgEBgxE?= =?us-ascii?q?BAQEBAYIHB41RkhSTG4IPgg2GIgKCRRQBAQEBAQEBAQEBAQKBCIIzGwGCGgEBA?= =?us-ascii?q?QECATo/BQsCAQgNCx4QMiUCBA4FiHizM4oTAQEBAQEBBAEBAQEBAQEhhkaCAQi?= =?us-ascii?q?CV4QwFoMzgjEFmyYGAaI/kmQfgX0VSgGGHnOGKyuBA4ENAQEB?=
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id v0CIWkEQ022101 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Jan 2017 13:32:46 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Thu, 12 Jan 2017 13:32:45 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: "Scott G. Kelly" <scott@hyperthought.com>
Thread-Topic: [EXTERNAL] secdir review of draft-ietf-dnsop-edns-key-tag-03
Thread-Index: AQHSaq5p6bKby0QbAU6Vp0HRlZZooKE1gwAA
Date: Thu, 12 Jan 2017 18:32:45 +0000
Message-ID: <6CC26A67-84B2-4227-8FBD-B01DD78D7C94@verisign.com>
References: <1483990038.1669640@apps.rackspace.com>
In-Reply-To: <1483990038.1669640@apps.rackspace.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <CC5B3280A075FB47B9B8E17F0EBE8B14@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/RreGlrYZVbQLHAWrg_rjQlMz7fw>
Cc: "draft-ietf-dnsop-edns-key-tag.all@ietf.org" <draft-ietf-dnsop-edns-key-tag.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-dnsop-edns-key-tag-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2017 18:33:00 -0000

> On Jan 9, 2017, at 2:27 PM, Scott G. Kelly <scott@hyperthought.com> wrote:
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> Summary: this draft is ready.
> 
> From the introduction, 
> 
>   This draft sets out to specify a way for validating resolvers to tell
>   a server in a DNS query which DNSSEC key(s) they would use to
>   validate responses from that zone.  This is done in two ways: using
>   an EDNS option for use in the OPT meta-RR [RFC6891] that contains the
>   key tags (described in Section 4), and by periodically sending
>   special "key tag queries" to a server authoritative for the zone
>   (described in Section 5).
> 
> That pretty well sums it up. The security and privacy considerations sections cover all relevant issues. I see no problems with this document.
> 
> Minor editorial comment: section 5.3 ends with this bracketed comment:
> 
> [ Note RFC1035 says NULL
>   RRs are not allowed in master files, but I believe that to be
>   incorrect ]
> 
> I assume this will be resolved prior to publication?


Thanks Scott,

Yes, I propose to simply remove that sentence for the next version of the document.

DW