Re: [secdir] volunteer for draft-rafiee-intarea-cga-tsig

Sean Turner <turners@ieca.com> Wed, 20 February 2013 00:04 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C494921F87A5 for <secdir@ietfa.amsl.com>; Tue, 19 Feb 2013 16:04:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.078
X-Spam-Level:
X-Spam-Status: No, score=-102.078 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTFZBKrPQlLQ for <secdir@ietfa.amsl.com>; Tue, 19 Feb 2013 16:04:04 -0800 (PST)
Received: from gateway03.websitewelcome.com (gateway03.websitewelcome.com [69.93.196.21]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE3D21F8750 for <secdir@ietf.org>; Tue, 19 Feb 2013 16:04:04 -0800 (PST)
Received: by gateway03.websitewelcome.com (Postfix, from userid 5007) id DD770A0416E; Tue, 19 Feb 2013 18:04:03 -0600 (CST)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway03.websitewelcome.com (Postfix) with ESMTP id C56A8A040DA for <secdir@ietf.org>; Tue, 19 Feb 2013 18:04:03 -0600 (CST)
Received: from [108.45.16.214] (port=51846 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1U7xAJ-0000iY-IJ; Tue, 19 Feb 2013 18:04:03 -0600
Message-ID: <512412F2.1070701@ieca.com>
Date: Tue, 19 Feb 2013 19:04:02 -0500
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Sam Hartman <hartmans-ietf@mit.edu>
References: <5123E350.4040809@ieca.com> <tslip5n27s4.fsf@mit.edu>
In-Reply-To: <tslip5n27s4.fsf@mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.45.16.214]:51846
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: Ralph Droms <rdroms.ietf@gmail.com>, secdir@ietf.org
Subject: Re: [secdir] volunteer for draft-rafiee-intarea-cga-tsig
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 00:04:04 -0000

Sam,

Many thanks!

spt

On 2/19/13 6:39 PM, Sam Hartman wrote:
> I took a look at draft-rafiee-intarea-cga-tsig.
>
> The idea is generally sound although I did not fully debug the algorithm
> as discussed below. Unfortunately, the draft needs a lot of work before
> it's ready.
>
> Comments:
>
> Section 3 contains a number of claims regarding protecting the exchanges
> between the resolver and client. Is tsig actually used for DNS
> resolution or just for update/zone transfer?
> Section 3 should be reviewed to determine whether all the use cases are
> in fact applicable for use of tsig.
>
> The draft really needs help from someone with an eye towards
> abstraction.
> Section 4 repeates much of the key generation from the CGA specification
> and repeats a lot of detail from the TSIG specification as well.
> The rest of the draft tends to suffer from this as well.
>
> Unfortunately, that approach--repeating (and sometimes changing) text
> from CGA and TSIG is highly problematic. It makes it hard to evaluate
> correctness of this specification and to identify all the differences
> between this specification and the existing specifications.  In
> addition, it makes it hard to understand how this specification might
> interact with existing extensions to CGAs and existing or future
> extensions to DNS-TSIG.
>
> Please ask someone from the DNS community to review the shortening of
> the TSIG exchange and the removal of the TKEY RR type.
>
> The general textual clarity could be significantly improved.
>
> I don't think this draft is ready for adoption, but I do think that the
> ideas expressed here could be a valid basis for future work.
>
> --Sam
>