IETF Logo Mail Archive

Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04

Shumon Huque <shuque@gmail.com> Fri, 07 July 2017 01:47 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD8EB131532 for <tls@ietfa.amsl.com>; Thu, 6 Jul 2017 18:47:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aRwRGxrrXah for <tls@ietfa.amsl.com>; Thu, 6 Jul 2017 18:47:05 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B12C712EBFD for <tls@ietf.org>; Thu, 6 Jul 2017 18:47:05 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id w19so12257310uac.0 for <tls@ietf.org>; Thu, 06 Jul 2017 18:47:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QnLDyzdFoHjo4Gg94jf+w49juHizkxp0jat5mjJxoqo=; b=tmLPM1+GX511pPRGc9BWYqEtFRQri/Se5MrhUqLUlNIMiN3qJEmkvD8Picsas9KTPk Lyf08KxGQWTOKLuaGj27ibk/Au7GksNKxy+v/wzkdryFEKngLP5injpt/kbQHsf9Eu0n yRS5j3rQRzKWYLCwkpPR8VG+s+gEUqh4IB0bn+Vv2zb1kuITfs33vwp8DpY/TZGnRwGS EPIpqBJ8FxPHqKaX8Do+HwtM6JPHRvlnnlao0l/VtC1j+Z04901eNpJlPn1WOO7xGKOA 7gmdMeGBR1OCNjpiFsrNW/4PuysWynFk4MM9LXgUDn7ODhR65iotTpSz+tUNq5D4qiPm d6RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QnLDyzdFoHjo4Gg94jf+w49juHizkxp0jat5mjJxoqo=; b=gqWArRm3Za7T+fUdZTZwfSBlZdkh1v0CB0fLmTjclJVDN7HbpeA2vfDg0uXIIK6Ste RMqSiaJFXmLSoEQK8rrwfqGKkegdKnEsxR09WzJ3uN2jB0GoMij5wvXnSbxutRxrgE7c K/6YD7Co+sYowjxfccVJcLj5blvGvZiiuAkm231JMfzC+9Od339st0EfD7WHzmu3CZ3y Lfb4avZj3eTGWUgwSq1D+QGYZ0AV6cTn14s+JhH8m3JpDEicI7DVQ3aSivtGJc+Polrc yPIsIEM5PorkWgjy/Y15XL/ePH+CerrLgXd08M1kptxcwMBYLi7g4a5SgxRhTnX1Mgs1 FKOA==
X-Gm-Message-State: AKS2vOybHcrTgNiEYzlvRBdJH8/ND2y9CPqg16oi1Iy70UJVa8t0LDOr TAcCU8s6z/zUlEGqU/3lZuQCw1PnNdkk
X-Received: by 10.176.27.141 with SMTP id k13mr27898752uai.93.1499392024858; Thu, 06 Jul 2017 18:47:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.79.231 with HTTP; Thu, 6 Jul 2017 18:47:04 -0700 (PDT)
In-Reply-To: <765945B5-B686-45EB-84AE-38731C3006D6@rfc1035.com>
References: <765945B5-B686-45EB-84AE-38731C3006D6@rfc1035.com>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 06 Jul 2017 21:47:04 -0400
Message-ID: <CAHPuVdXwvbnfqm3O6GSTSD0BVG3JjdqQBjj9n4mvMOhzgHs-PA@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c13be6e05563f0553b069e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RM_xWYL7qrXFQnixdnI3P1oOeas>
Subject: Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 01:47:08 -0000

On Wed, Jul 5, 2017 at 12:30 PM, Jim Reid <jim@rfc1035.com> wrote:

> I’ve got a few concerns/issues with the document.
>

Hi Jim,

I largely agree with the responses Viktor gave in a previous message. I'll
comment on the last point where he did not:


> 6) The draft doesn't seem to take account of key rollovers when DNS data
> will be signed by two or more keys. Zone signing keys are missing from the
> examples too. These might well have been omitted for cosmetic reasons. IMO
> they need to be included in the final document to illustrate what
> implementers can expect to find when the DNS returns signed data.
>

I assume you're referring to the examples in Appendix D (Test Vectors)?

These are working examples that implementers can test code against. But it
looks like the testbed involved in these examples uses combined signing
keys (i.e. ones that are both the zone's secure entry point and the ZSK).
Perhaps we should use an example with the KSK/ZSK split to make them look
more like the real world. Let me discuss with Willem Toorop (co-author) who
generated these ...

-- 
Shumon Huque

v2.23.0 | Report a Bug | By Email