Re: [secdir] volunteer for draft-rafiee-intarea-cga-tsig

Ralph Droms <rdroms.ietf@gmail.com> Wed, 20 February 2013 14:33 UTC

Return-Path: <rdroms.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92ACB21F8780 for <secdir@ietfa.amsl.com>; Wed, 20 Feb 2013 06:33:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.541
X-Spam-Level:
X-Spam-Status: No, score=-103.541 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7207NpdZlXkn for <secdir@ietfa.amsl.com>; Wed, 20 Feb 2013 06:33:40 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id DE8E221F875F for <secdir@ietf.org>; Wed, 20 Feb 2013 06:33:39 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id l6so5071504vcl.17 for <secdir@ietf.org>; Wed, 20 Feb 2013 06:33:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=aQiWj/xwBlDyTTD07YZOrNshtAb5McmJM0WNCP4ohF4=; b=rCyXr1Na38LT8Le8PuF8KxNpuPMB7kZ0uUlvGXowKIImCVhekw0rihfyYDYPgS/LAj jR5izB1uWf6aLbR0I93UTNL86yPASZjpqA/Ifd2zuPF+Tabo2y3lMyCH7gslwcLJzaKe 3n3mQrJFuNJiJfbLUrdnlsBEuvDfJpS/WAIb9F18FbduRrPdEXd4dgl3Cm16FWidRLXd 3x10vclUlPFsuTCUFxqw4nrlW6EJ64HtYCqZ//9UcRO/jtVun3CR1GjfzjxU+G7lvxGr e+FijzTZieDISLn9O5b4h5UReqJfbZvLH6+HehhVj657wEpLZmR1Z2TDuC+bBlVkDDC/ mVuA==
X-Received: by 10.52.22.74 with SMTP id b10mr22827607vdf.96.1361370819137; Wed, 20 Feb 2013 06:33:39 -0800 (PST)
Received: from ?IPv6:2001:420:2c51:1311:e123:1b78:f56b:cf9c? ([2001:420:2c51:1311:e123:1b78:f56b:cf9c]) by mx.google.com with ESMTPS id i17sm25658105vdj.1.2013.02.20.06.33.36 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 20 Feb 2013 06:33:38 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Ralph Droms <rdroms.ietf@gmail.com>
In-Reply-To: <tslip5n27s4.fsf@mit.edu>
Date: Wed, 20 Feb 2013 09:33:34 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <23EF6229-4A9B-48DB-BAA7-2D4B37394247@gmail.com>
References: <5123E350.4040809@ieca.com> <tslip5n27s4.fsf@mit.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>
X-Mailer: Apple Mail (2.1499)
Cc: secdir@ietf.org
Subject: Re: [secdir] volunteer for draft-rafiee-intarea-cga-tsig
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 14:33:40 -0000

Thanks for the quick review, Sam.

- Ralph

On Feb 19, 2013, at 6:39 PM 2/19/13, Sam Hartman <hartmans-ietf@mit.edu> wrote:

> I took a look at draft-rafiee-intarea-cga-tsig.
> 
> The idea is generally sound although I did not fully debug the algorithm
> as discussed below. Unfortunately, the draft needs a lot of work before
> it's ready.
> 
> Comments:
> 
> Section 3 contains a number of claims regarding protecting the exchanges
> between the resolver and client. Is tsig actually used for DNS
> resolution or just for update/zone transfer?
> Section 3 should be reviewed to determine whether all the use cases are
> in fact applicable for use of tsig.
> 
> The draft really needs help from someone with an eye towards
> abstraction.
> Section 4 repeates much of the key generation from the CGA specification
> and repeats a lot of detail from the TSIG specification as well.
> The rest of the draft tends to suffer from this as well.
> 
> Unfortunately, that approach--repeating (and sometimes changing) text
> from CGA and TSIG is highly problematic. It makes it hard to evaluate
> correctness of this specification and to identify all the differences
> between this specification and the existing specifications.  In
> addition, it makes it hard to understand how this specification might
> interact with existing extensions to CGAs and existing or future
> extensions to DNS-TSIG.
> 
> Please ask someone from the DNS community to review the shortening of
> the TSIG exchange and the removal of the TKEY RR type.
> 
> The general textual clarity could be significantly improved.
> 
> I don't think this draft is ready for adoption, but I do think that the
> ideas expressed here could be a valid basis for future work.
> 
> --Sam