Re: [secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-11
Donald Eastlake <d3e3e3@gmail.com> Tue, 29 September 2020 15:07 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95BC33A0EAE; Tue, 29 Sep 2020 08:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fia1bHewuf8c; Tue, 29 Sep 2020 08:07:57 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A7B43A0EB0; Tue, 29 Sep 2020 08:07:50 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id u6so5130491iow.9; Tue, 29 Sep 2020 08:07:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O3p/33o+5CA2DzGmK4Us7uHgx/5uL2uTVjEZsYuoj2c=; b=k3HDwbjgUSq2D71HP38+GvKLSM8mbTrlARj+ckh4WhecQ5P7LQsUGrVDMiwtKLl6+9 cogZ7PUHNGCVgL0uTmuyu93qYDic+aYlpdLzZp8kWkDhhiiwkhn7ZTXY8gs8wcs1VGRE bnPlACNIMCJvNGYWU1/uzxTtbO2HrhUXxh4ixUTltXk0PjTQtnCajmfIR/4GwMF5eUNs X9TaA374a25/RmPoUzurZzKppvR47wd0JXfexZopQQmJNGswmdKDv25Al67pi8THdfnb vCsz2A4yjq1A2MUw1r/oU0xje/8bIfkHF1J/Jx2xBYps1vzQxe50xyd6ICWxgn4o9BQD LrAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O3p/33o+5CA2DzGmK4Us7uHgx/5uL2uTVjEZsYuoj2c=; b=AtDnZ9y+uUlBbOVofiOws5EwvVBfmd6TApAVgYDJFEaAdtGLCN6nG6bvbMhKncTPNV g0lP2uvvHbIl6E7WheuT2plizabw8xTcpyGxnsKpluztoGFFrffVs3HnRz2myHj7qzjW CZagLHnvLvXv28WyXZBxnmIVhj71h4rbhc77A1J8asn+eYJSuGeo+Ub6sn4eLSpv9gFD sY4nmZ33cpaWqErDv8YI5Nu9YGL/FdP3RU7QDiweA/LFcNEm2yclB8Wxq4fn8KLK/82O dRrbyjUqxxlekbElMIoszbSXJ4Dw54oTGpBFYWJPyxlU0c18GB/M8ty8GCETc4Ms3oz9 aFGw==
X-Gm-Message-State: AOAM531A5Y1jULaDPF5nlv8dskETnWsQGeHjO67dH8Hsd2wtC86iyfn1 sXJvdKCDsPOzxVWeDDMH2GzR1xIoVTrmf/rN3AQ=
X-Google-Smtp-Source: ABdhPJyLE+PgZlN7kOUvLsFo+gEEfrOhvlg2Ow4nBr2rPIA0mOoX78LmlANLOos0D7ZWja5h4AxgSJlxllZDOSOUghQ=
X-Received: by 2002:a05:6638:250d:: with SMTP id v13mr3275219jat.50.1601392066840; Tue, 29 Sep 2020 08:07:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAF4+nEGq3Ez+qMVf1JKxLqBNxb7OA-7Y=-OV4OSHNkVYzA+qoA@mail.gmail.com> <3D8D339D-C83A-45E9-9E0B-027C8F03B136@verisign.com>
In-Reply-To: <3D8D339D-C83A-45E9-9E0B-027C8F03B136@verisign.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 29 Sep 2020 11:07:35 -0400
Message-ID: <CAF4+nEGBFL7fYxrJy1AkpE9dgZFfz+s8BZLqXaDcOGEL_kZSWw@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "draft-ietf-dnsop-dns-zone-digest.all@ietf.org" <draft-ietf-dnsop-dns-zone-digest.all@ietf.org>, secdir <secdir@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Sts_EqdGxruYtpeo-GrxUFmRP7w>
Subject: Re: [secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 15:08:00 -0000
Hi Duane, Thanks for being so agreeable. As soon as a new version is posted with the changes I'll send out a message confirming that all my comments are resolved. Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com On Mon, Sep 28, 2020 at 6:54 PM Wessels, Duane <dwessels@verisign.com> wrote: > > > > > On Sep 27, 2020, at 7:50 PM, Donald Eastlake <d3e3e3@gmail.com> wrote: > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. Document editors and WG chairs should treat these comments just > > like any other last call comments. > > > > The summary of the review is Ready with Nits. > > > > Overall, I am pretty happy with the state of the draft. Essentially > > all of the comments from my review of -09 have been resolved and I > > don't see any problem with other changes that have been made. However, > > on reviewing -11, I did come up with a few things as listed below. > > > > Section 2, last sentence right before the Section 2.1 header, should > > "recommended" be all capital? > > That change is fine with me. > > > > > > Something I didn't notice in my first review: > > Section 2.2.1, ZONEMD already covers the SOA that is in the zone and > > so includes the zone serial in its Digest. Thus it seems a little odd > > to say that the field is needed to make the DNS response meaningful. > > I'm not suggesting removing the field or anything... Perhaps some > > wording change like the following: > > OLD > > It is included here in order to make DNS response messages of type > > ZONEMD meaningful. Without the serial number, a stand-alone ZONEMD > > digest has no association to any particular instance of a zone. > > NEW > > It is included here to clearly bind the ZONEMD RR to a particular > > version of the zone's content. Without the serial number, a > > stand-alone ZONEMD digest has no obvious association to any > > particular instance of a zone. > > I think that is an improvement. > > > > > > Section 3.1, last sentence just before the Section 3.2 header: This > > says ZONEMD RRs are excluded from digest calculation but in Section > > 2.1 it says that non-apex ZONEMD RRs are treated are ordinary RRs and > > included. I think that 2.1 is correct and suggest inserting the word > > "apex" so the last sentence of Section 3.1 starts with "Since apex > > ZONEMD RRs are excluded ..." Although less important, "apex" probably > > should also be inserted before "ZONEMD" in the fourth and sixth bullet > > points of Section 3.3.1.1. > > I don't mind inserting "apex" where you suggest. I felt we were covered > by the earlier statement that ZONEMD means apex ZONEMD unless stated > otherwise, but its good to be explicit in those places. > > > > > > > Section 5.3, the last sentence, after the table, is no longer needed, > > since that information is given above the table, so it should be > > deleted. > > Yes. > > > Section 6.2: Need to expand KSK on first use or alternatively, since it > > is the only use, just not use the acronym at all and spell it out in > > full. > > Done. > > > > > > Section 6.3: Size estimate for ZONEMD RR seems a bit low, perhaps > > based on algorithms in earlier versions of the draft with shorter > > digests. I would say 55 to 85 octets would be a better current > > estimate. > > Yes indeed. I changed it to "65 to 95" now since the smallest SHA384 SIMPLE > RR is 65 bytes and a SHA512 SIMPLE RR for "example.com" is 93 bytes. > > > > > > Section 6.4: In the second paragraph, I think you mean "private use > > hash algorithm code points", not "private use hash algorithms". > > Yes, thats better. > > > > > That's it. > > > > Thanks, > > Donald > > Thank you again. > > DW > >
- [secdir] SECDIR review of draft-ietf-dnsop-dns-zo… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake