Hi Jinmei Thank you for the review.
----- Original Message ----- > From: "神明達哉" <jin...@wide.ad.jp> > To: "dnsop" <dnsop@ietf.org> > Sent: Monday, November 2, 2015 1:31:56 PM > Subject: [DNSOP] comments on draft-muks-dnsop-dns-message-checksums > I've read draft-muks-dnsop-dns-message-checksums-01. I think it's > quite well written. > > I have a couple of comments about the draft: > > 1. I wonder whether this should be merged to draft-ietf-dnsop-cookies, > as both try to solve the same/similar problems with quite similar > approaches (note: I believe I understand the difference, and I'm > not saying dnsop-cookies will make dns-message-checksums > unnecessary). I'm open to merging this with DNS cookies. OTOH, there have been suggestions of adding a dependency on DNS cookies (instead of using the NONCE field) that I'm now not in favour of (which I'll address separately). > 2. Regarding the possibility of downgrade attack, you might want to a > perhaps obvious (and weak) counter measure: cache the availability > of the feature per peer and use it as a hint for further queries. This was also proposed by Shane Kerr. He is planning on contributing a section to the draft towards this. I'll be uploading another revision soon that uses SHA-256, and clarifies some more things that were learned during BIND implementation (e.g., TSIG). Mukund _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
