[apps-discuss] APPSDIR review of draft-ietf-dnsext-dnssec-bis-updates-18
S Moonesamy <sm+ietf@elandsys.com> Tue, 22 May 2012 17:21 UTC
Return-Path: <sm@elandsys.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2064F21F8648; Tue, 22 May 2012 10:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.493
X-Spam-Level:
X-Spam-Status: No, score=-102.493 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kyvew0gWwZwr; Tue, 22 May 2012 10:20:57 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9807121F85DF; Tue, 22 May 2012 10:20:57 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([41.136.234.13]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id q4MHKfiB009175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 May 2012 10:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1337707254; i=@elandsys.com; bh=Qy9ZysTWWnHpJq6cOkxlM9R5qxg+qzsUDxNMEvMTSFY=; h=Date:To:From:Subject:Cc; b=oqhT2d2Rpfg+1nPEZRP7K0RvNlWF1rOX2yKuCT0oBN2mw/3PjATzR6wikdeCeXGSe n7G9PClL6OdvAhqUnLMBRsb3PRWYHfz5e+XFhbwwhgDPn2RYatT25QIbz1bd6WCLdT 3UlP7KfBMo2yqbJqk7YzF2twQfQMbg2ktxwhe8kk=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1337707254; i=@elandsys.com; bh=Qy9ZysTWWnHpJq6cOkxlM9R5qxg+qzsUDxNMEvMTSFY=; h=Date:To:From:Subject:Cc; b=aQhoNtPHD+ccuNBWu0ZLkh7I7LEV4v9Dzg0nVIGuPV6GFmUR1xq57Y49S6tTJDnKk H+vaXjgH1Cl8L0qmpxJaUURw9G1W9m27Ax87JXR5wRoCsWlMf7/AbeiKPM26ecs08o VWNP3I9fl5UOMO5ZhuExtikNuyTGyPpfcKyr8xpw=
Message-Id: <6.2.5.6.2.20120522092115.0900a4a0@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 22 May 2012 10:12:27 -0700
To: apps-discuss@ietf.org, draft-ietf-dnsext-dnssec-bis-updates.all@tools.ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: dnsext@ietf.org, iesg@ietf.org
Subject: [apps-discuss] APPSDIR review of draft-ietf-dnsext-dnssec-bis-updates-18
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2012 17:21:00 -0000
I have been selected as the Applications Area Directorate reviewer for this draft (for background on AppsDir, please see http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate ). The comments in this review do not bear more weight than comments submitted by an individual during a Last Call. It is suggested that the author asks the document shepherd for guidance about any changes suggested in a review. Document: draft-ietf-dnsext-dnssec-bis-updates-18 Title: Clarifications and Implementation Notes for DNSSECbis Reviewer: S. Moonesamy Review Date: May 22, 2012 IETF Last Call Date: May 17, 2012 Summary: This document is not ready for publication as a Proposed Standard. The proposal is a collection of technical clarifications to the DNSSECbis document set. DNSSEC is useful for application-related specifications which perform service location. The proposal does not directly affect any application-related specification. The proposal seems targeted at implementers who are fully conversant with the ins and outs of DNSSEC. Although the proposal is well-written, it lacks clarity as to what is being changed in the "DNSSECbis document set". It may end up being more confusing. There was an announcement that the DNSEXT WG would be shut down. The rush to publish these clarifications raises questions about whether the DNSSECbis documents will ever be advanced in the near future from Proposed Standard to Internet Standard. I erred on the side of caution in making the publication recommendation especially as the Security Considerations Section mentions that the validation algorithm clarifications in Section 4 are critical for preserving the security properties DNSSEC offers. Minor issues: In the Abstract Section: "This document is a collection of technical clarifications to the DNSSECbis document set. It is meant to serve as a resource to implementors as well as a repository of DNSSECbis errata." "DNSSECbis" seems more like an internal IETF term to identify the document set. RFC 4033, for example, does not have any mention of "DNSSECbis". I suggest using "DNSSEC protocol document set" and amending the title accordingly. In the Introduction Section: "This document lists some additions, clarifications and corrections to the core DNSSECbis specification". See above comment. In Section 2.1: "Note that the algorithm identifiers defined in RFC5155 (DSA-NSEC3- SHA1 and RSASHA1-NSEC3-SHA1) and RFC5702 (RSASHA256 and RSASHA512) signal that a zone MAY be using NSEC3, rather than NSEC. The zone MAY be using either and validators supporting these algorithms MUST support both NSEC3 and NSEC responses." It is not clear from the above text which parts of RFC 5155 is being modified. In Section 3.1: "Section 4.7 of RFC4035 permits security-aware resolvers to implement a BAD cache. Because of scaling concerns not discussed in this document, that guidance has changed: security-aware resolvers SHOULD implement a BAD cache as described in RFC4035." From Section 4.7 of RFC 4035: "To prevent such unnecessary DNS traffic, security-aware resolvers MAY cache data with invalid signatures, with some restrictions." If I understood the text from this draft, the "MAY" is being changed into a recommendation. In which cases would it better not to follow the recommendation? In Section 4.1: "In particular, the algorithm as presented would incorrectly allow an NSEC or NSEC3 RR from an ancestor zone to prove the non-existence of RRs in the child zone." Where is ancestor zone defined? "Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume non- existence of any RRs below that zone cut, which include all RRs at that (original) owner name other than DS RRs, and all RRs below that owner name regardless of type." It is not clear what is being clarified. Nits: In the Introduction Section: The IETF is now using two maturity levels. "Draft Standard" has been changed to "Internet Standard" In Section 6.3: This section discusses about errors in the examples in RFC 4035. As a stylistic comment, it is clearer to the reader if he/she could see the actual examples with the corrections made. Regards, S. Moonesamy
- [apps-discuss] APPSDIR review of draft-ietf-dnsex… S Moonesamy
- Re: [apps-discuss] APPSDIR review of draft-ietf-d… Andrew Sullivan
- Re: [apps-discuss] APPSDIR review of draft-ietf-d… Jiankang YAO
- Re: [apps-discuss] [dnsext] APPSDIR review of dra… Andrew Sullivan
- Re: [apps-discuss] APPSDIR review of draft-ietf-d… S Moonesamy