Robert Wilton has entered the following ballot position for draft-ietf-dnsop-dns-zone-digest-12: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-zone-digest/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank for you this document. I found it interesting and it looks useful. I have a few comments that may improve this document for you to please consider: Herein, SHA384 [RFC6234], with value 1, is the only standardized Hash Algorithm defined for ZONEMD records that MUST be implemented. When SHA384 is used, the size of the Digest field is 48 octets. The result of the SHA384 digest algorithm MUST NOT be truncated, and the entire 48 octet digest is published in the ZONEMD record. SHA512 [RFC6234], with Hash Algorithm value 2, is also defined for ZONEMD records, and SHOULD be implemented. When SHA512 is used, the size of the Digest field is 64 octets. The result of the SHA512 digest algorithm MUST NOT be truncated, and the entire 64 octet digest is published in the ZONEMD record. For consistency, perhaps change "with value 1" to "with Hash Algorithm value 1"? 2.2.4. The Digest Field The Digest field MUST NOT be shorter than 12 octets. Digests for the SHA384 and SHA512 hash algorithms specified herein are never truncated. Digests for future hash algorithms MAY be truncated, but MUST NOT be truncated to a length that results in less than 96-bits (12 octets) of equivalent strength. When I read this, I wonder why the limit of 12 bytes was chosen. Possibly a sentence that justifies why this value was chosen might be useful, noting that the two suggested algorithms have significantly longer digests. 2. The ZONEMD Resource Record It is RECOMMENDED that a zone include only one ZONEMD RR, unless the zone publisher is in the process of transitioning to a new Scheme or Hash Algorithm. I'm not quite sure how well this fits with sections 2.2.3 restriction that SHA384 MUST be implemented, and SHA512 SHOULD be implemented. As a recipient of the zone info I understand that I would need to implement both, but as a sender am I allowed to only send SHA512, or both, or must I always send SHA384? 3.1. Add ZONEMD Placeholder In preparation for calculating the zone digest, any existing ZONEMD records (and covering RRSIGs) at the zone apex are first deleted. I think that this places a requirement that all zone digests must be constructed at the same time. I suggest at least changing "zone digest" to "zone digest(s)", but it might also be worth adding a sentence to highlight that. I was also left wondering whether it is strictly required that the zone digests must be deleted, or just that placeholder zone digests must be used in their place during the calculation. E.g. what happens if a request is received to fetch the ZONEMD record at the same time that it is being reconstructed? 4. Verifying Zone Digest 5. Loop over all apex ZONEMD RRs and perform the following steps: ... My, perhaps mistaken, interpretation of these error reporting instructions in this loop is that they really assume only a single ZONEMD RR. I.e., I wouldn't expect the recipient to generate/return these errors if there were two ZONEMD RR's and only one scheme/algorithm was was supported. Yes, there is some text at the beginning of the entire algorithm that suggests what to do here, but further guidance here may also be helpful. E.g. what does the server return if there are two ZONEMD records and neither of them are acceptable for different reasons? I'm presuming, perhaps incorrectly, that only a single error can/should be returned. Regards, Rob _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
