I just put it into IESG Evaluation a couple of hours ago. The recent changes were to address the SecDir review, which you can see here: https://mailarchive.ietf.org/arch/msg/secdir/RYS_YRmcHvwEauT-6UhvtqSJ9-8/
Barry On Mon, Sep 21, 2020 at 3:06 PM Michael StJohns <m...@nthpermutation.com> wrote: > > Adding IESG - I didn't realize it was in IESG evaluation. > > I'm not sure why this version was posted as there is nothing on the > datatracker that indicates there were IESG issues to be resolved. There > are several changes that were non-editorial that really shouldn't have > been included without WG review. 2.2.4 is the one that I would have > problems with the most. > > Mike > > > On 9/21/2020 2:26 PM, Michael StJohns wrote: > > 1.4.4 - "has not been modified." -> "has not been modified between > > origination and retrieval." > > > > 2.2.2 - "MUST be implemented" -> "SHOULD be implemented. Failure to > > implement this scheme without other standardized schemes being > > specified may result in a receiver being unable to validate the zone. > > However, it is possible to use ZONEMD with a private scheme, and for > > that reason the requirement is set at "SHOULD"". > > > > 2.2.3 - "SHA384...that MUST be implemented." -> "SHA384 is the only > > mandatory hash algorithm currently defined for the SIMPLE scheme, and > > MUST be implemented if the SIMPLE scheme is implemented". > > > > 2.2.4 - SHA384 has a hash length of 48 bytes. 12 bytes seems to imply > > some sort of left or right truncation. Show stopper! Explain how > > this value was selected and how it interacts with the native length of > > the chosen hash. Note: I have no trouble with truncated hashes here, > > but no modern hash has less than 20 bytes so 12 seems to be a very > > strange number absent a discussion of truncated hashes. > > > > 3.1 - "It is RECOMMENDED...SOA". Add "However, the TTL of the ZONEMD > > record may be safely ignored during verification in all cases." > > > > 6.2 - *sigh* No. Basically, this allows a zone that is done ZONEMD > > to push back on a parent zone that's doing key updates. (e.g. its not > > the keys in the zone being ZONEMD you're concerned about in this > > paragraph, but the keys in all of the parent zones). Use *EXACTLY* > > the same model for ZONEMD that DNSSEC would use and with exactly the > > same implications for verification. I'd delete this paragraph in its > > entirety. > > > > Mike > > > > > > On 9/21/2020 1:41 PM, internet-dra...@ietf.org wrote: > >> A New Internet-Draft is available from the on-line Internet-Drafts > >> directories. > >> This draft is a work item of the Domain Name System Operations WG of > >> the IETF. > >> > >> Title : Message Digest for DNS Zones > >> Authors : Duane Wessels > >> Piet Barber > >> Matt Weinberg > >> Warren Kumari > >> Wes Hardaker > >> Filename : draft-ietf-dnsop-dns-zone-digest-10.txt > >> Pages : 36 > >> Date : 2020-09-21 > >> > >> Abstract: > >> This document describes a protocol and new DNS Resource Record that > >> provides a cryptographic message digest over DNS zone data. The > >> ZONEMD Resource Record conveys the digest data in the zone itself. > >> When a zone publisher includes a ZONEMD record, recipients can > >> verify > >> the zone contents for accuracy and completeness. This provides > >> assurance that received zone data matches published data, regardless > >> of how the zone data has been transmitted and received. > >> > >> ZONEMD does not replace DNSSEC. Whereas DNSSEC protects individual > >> RRSets (DNS data with fine granularity), ZONEMD protects a zone's > >> data as a whole, whether consumed by authoritative name servers, > >> recursive name servers, or any other applications. > >> > >> As specified herein, ZONEMD is impractical for large, dynamic zones > >> due to the time and resources required for digest calculation. > >> However, The ZONEMD record is extensible so that new digest schemes > >> may be added in the future to support large, dynamic zones. > >> > >> > >> The IETF datatracker status page for this draft is: > >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-zone-digest/ > >> > >> There are also htmlized versions available at: > >> https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-10 > >> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-zone-digest-10 > >> > >> > >> A diff from the previous version is available at: > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dns-zone-digest-10 > >> > >> > >> Please note that it may take a couple of minutes from the time of > >> submission > >> until the htmlized version and diff are available at tools.ietf.org. > >> > >> Internet-Drafts are also available by anonymous FTP at: > >> ftp://ftp.ietf.org/internet-drafts/ > >> > >> > >> _______________________________________________ > >> DNSOP mailing list > >> DNSOP@ietf.org > >> https://www.ietf.org/mailman/listinfo/dnsop > > > > > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
