IETF Logo Mail Archive

Re: [secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-11

Donald Eastlake <d3e3e3@gmail.com> Tue, 29 September 2020 15:07 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95BC33A0EAE; Tue, 29 Sep 2020 08:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fia1bHewuf8c; Tue, 29 Sep 2020 08:07:57 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A7B43A0EB0; Tue, 29 Sep 2020 08:07:50 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id u6so5130491iow.9; Tue, 29 Sep 2020 08:07:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O3p/33o+5CA2DzGmK4Us7uHgx/5uL2uTVjEZsYuoj2c=; b=k3HDwbjgUSq2D71HP38+GvKLSM8mbTrlARj+ckh4WhecQ5P7LQsUGrVDMiwtKLl6+9 cogZ7PUHNGCVgL0uTmuyu93qYDic+aYlpdLzZp8kWkDhhiiwkhn7ZTXY8gs8wcs1VGRE bnPlACNIMCJvNGYWU1/uzxTtbO2HrhUXxh4ixUTltXk0PjTQtnCajmfIR/4GwMF5eUNs X9TaA374a25/RmPoUzurZzKppvR47wd0JXfexZopQQmJNGswmdKDv25Al67pi8THdfnb vCsz2A4yjq1A2MUw1r/oU0xje/8bIfkHF1J/Jx2xBYps1vzQxe50xyd6ICWxgn4o9BQD LrAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O3p/33o+5CA2DzGmK4Us7uHgx/5uL2uTVjEZsYuoj2c=; b=AtDnZ9y+uUlBbOVofiOws5EwvVBfmd6TApAVgYDJFEaAdtGLCN6nG6bvbMhKncTPNV g0lP2uvvHbIl6E7WheuT2plizabw8xTcpyGxnsKpluztoGFFrffVs3HnRz2myHj7qzjW CZagLHnvLvXv28WyXZBxnmIVhj71h4rbhc77A1J8asn+eYJSuGeo+Ub6sn4eLSpv9gFD sY4nmZ33cpaWqErDv8YI5Nu9YGL/FdP3RU7QDiweA/LFcNEm2yclB8Wxq4fn8KLK/82O dRrbyjUqxxlekbElMIoszbSXJ4Dw54oTGpBFYWJPyxlU0c18GB/M8ty8GCETc4Ms3oz9 aFGw==
X-Gm-Message-State: AOAM531A5Y1jULaDPF5nlv8dskETnWsQGeHjO67dH8Hsd2wtC86iyfn1 sXJvdKCDsPOzxVWeDDMH2GzR1xIoVTrmf/rN3AQ=
X-Google-Smtp-Source: ABdhPJyLE+PgZlN7kOUvLsFo+gEEfrOhvlg2Ow4nBr2rPIA0mOoX78LmlANLOos0D7ZWja5h4AxgSJlxllZDOSOUghQ=
X-Received: by 2002:a05:6638:250d:: with SMTP id v13mr3275219jat.50.1601392066840; Tue, 29 Sep 2020 08:07:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAF4+nEGq3Ez+qMVf1JKxLqBNxb7OA-7Y=-OV4OSHNkVYzA+qoA@mail.gmail.com> <3D8D339D-C83A-45E9-9E0B-027C8F03B136@verisign.com>
In-Reply-To: <3D8D339D-C83A-45E9-9E0B-027C8F03B136@verisign.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 29 Sep 2020 11:07:35 -0400
Message-ID: <CAF4+nEGBFL7fYxrJy1AkpE9dgZFfz+s8BZLqXaDcOGEL_kZSWw@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "draft-ietf-dnsop-dns-zone-digest.all@ietf.org" <draft-ietf-dnsop-dns-zone-digest.all@ietf.org>, secdir <secdir@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Sts_EqdGxruYtpeo-GrxUFmRP7w>
Subject: Re: [secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 15:08:00 -0000

Hi Duane,

Thanks for being so agreeable. As soon as a new version is posted with
the changes I'll send out a message confirming that all my comments
are resolved.

Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com

On Mon, Sep 28, 2020 at 6:54 PM Wessels, Duane <dwessels@verisign.com> wrote:
>
>
>
> > On Sep 27, 2020, at 7:50 PM, Donald Eastlake <d3e3e3@gmail.com> wrote:
> >
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the
> > IESG. Document editors and WG chairs should treat these comments just
> > like any other last call comments.
> >
> > The summary of the review is Ready with Nits.
> >
> > Overall, I am pretty happy with the state of the draft. Essentially
> > all of the comments from my review of -09 have been resolved and I
> > don't see any problem with other changes that have been made. However,
> > on reviewing -11, I did come up with a few things as listed below.
> >
> > Section 2, last sentence right before the Section 2.1 header, should
> > "recommended" be all capital?
>
> That change is fine with me.
>
>
> >
> > Something I didn't notice in my first review:
> > Section 2.2.1, ZONEMD already covers the SOA that is in the zone and
> > so includes the zone serial in its Digest. Thus it seems a little odd
> > to say that the field is needed to make the DNS response meaningful.
> > I'm not suggesting removing the field or anything... Perhaps some
> > wording change like the following:
> > OLD
> >   It is included here in order to make DNS response messages of type
> >   ZONEMD meaningful.  Without the serial number, a stand-alone ZONEMD
> >   digest has no association to any particular instance of a zone.
> > NEW
> >   It is included here to clearly bind the ZONEMD RR to a particular
> >   version of the zone's content. Without the serial number, a
> >   stand-alone ZONEMD digest has no obvious association to any
> >   particular instance of a zone.
>
> I think that is an improvement.
>
>
> >
> > Section 3.1, last sentence just before the Section 3.2 header: This
> > says ZONEMD RRs are excluded from digest calculation but in Section
> > 2.1 it says that non-apex ZONEMD RRs are treated are ordinary RRs and
> > included. I think that 2.1 is correct and suggest inserting the word
> > "apex" so the last sentence of Section 3.1 starts with "Since apex
> > ZONEMD RRs are excluded ..." Although less important, "apex" probably
> > should also be inserted before "ZONEMD" in the fourth and sixth bullet
> > points of Section 3.3.1.1.
>
> I don't mind inserting "apex" where you suggest.  I felt we were covered
> by the earlier statement that ZONEMD means apex ZONEMD unless stated
> otherwise, but its good to be explicit in those places.
>
>
>
> >
> > Section 5.3, the last sentence, after the table, is no longer needed,
> > since that information is given above the table, so it should be
> > deleted.
>
> Yes.
>
> > Section 6.2: Need to expand KSK on first use or alternatively, since it
> > is the only use, just not use the acronym at all and spell it out in
> > full.
>
> Done.
>
>
> >
> > Section 6.3: Size estimate for ZONEMD RR seems a bit low, perhaps
> > based on algorithms in earlier versions of the draft with shorter
> > digests. I would say 55 to 85 octets would be a better current
> > estimate.
>
> Yes indeed.  I changed it to "65 to 95" now since the smallest SHA384 SIMPLE
> RR is 65 bytes and a SHA512 SIMPLE RR for "example.com" is 93 bytes.
>
>
> >
> > Section 6.4: In the second paragraph, I think you mean "private use
> > hash algorithm code points", not "private use hash algorithms".
>
> Yes, thats better.
>
> >
> > That's it.
> >
> > Thanks,
> > Donald
>
> Thank you again.
>
> DW
>
>

v2.23.0 | Report a Bug | By Email