Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
draft-ietf-dnsop-edns-key-tag-05

[Ballot comment]

- abstract: referring to section 1.1 from here seems wrong,
the abstract ought be readable by itself

- section 5: Is the key tag query only and solely intended to
allow the authoritative to track how clients are paying
attention (or not) to key rollovers? If there's another
purpose I'm not clear about it.

- 5.3: "I believe that to be..." seems like the wrong language
to use with >1 author.

- section 7/8: Is there a missing security/privacy
consideration here, in that an authoritative server here could
arrange to hand out key tags that are specific to (in the
limit) each query, so that when the resolver queries a
sub-domain, and thereafter, the client will be identifiable to
the authoritative server?  One could do this by generating new
keys per querier so that if I ask about example.com I get
given a tag that's unique to me, and then some web content
pushes me to ask about www.example.com and every time I do
that I emit that user-specific key tag. While that'd be
unlikely for a large zone, it might be feasible as a tracker
if some "bad" domain sets up a specific subdomain for such
purposes. That said, I'm not clear how much better this is for
the attacker compared to simply using a tracking name in the
authority component of the URL for e.g. some 1x1 gif.

[Ballot comment]
I am doubtful that this will deploy, considering that there are 2 mechanism.

Are there existing or planned implementations of both approaches? I am sorry if I missed that in the shepherding writeup.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-dnsop-edns-key-tag-03.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator understands that, upon approval of this document, there is a single action which we must complete.

In the DNS EDNS0 Option Codes (OPT) subregistry of the Domain Name System (DNS) Parameters registry located at:

https://www.iana.org/assignments/dns-parameters/

a single new option code is to be added to the registry as follows:

Value: [ TBD-at-registration ]
Name: edns-key-tag
Status: Optional
Reference: [ RFC-to-be ]

Because this registry requires Expert Review [RFC5226] for registration, we've contacted the IESG-designated expert in a separate ticket to request approval. Expert review should be completed before your document can be approved for publication as an RFC.

The IANA Services Operator understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: tjw.ietf@gmail.com, dnsop-chairs@ietf.org, joelja@gmail.com, draft-ietf-dnsop-edns-key-tag@ietf.org, "Tim Wicinski" , dnsop@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)) to Proposed Standard


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document:
- 'Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-01-16. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  The DNS Security Extensions (DNSSEC) were developed to provide origin
  authentication and integrity protection for DNS data by using digital
  signatures.  These digital signatures can be verified by building a
  chain-of-trust starting from a trust anchor and proceeding down to a
  particular node in the DNS.  This document specifies two different
  ways for validating resolvers to signal to a server which keys are
  referenced in their chain-of-trust.  The data from such signaling
  allow zone administrators to monitor the progress of rollovers in a
  DNSSEC-signed zone.

  This document describes two independent methods for validating
  resolvers to publish their referenced keys: an EDNS option and a
  different DNS query.  The reason there are two methods instead of one
  is some people see significant problems with each method.  Having two
  methods is clearly worse than having just one, but it is probably
  better for the Internet than having no way to gain the information
  from the resolvers.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-key-tag/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-key-tag/ballot/


No IPR declarations have been submitted directly on this I-D.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Shepherd write up for draft-ietf-dnsop-edns-key-tag

(1)

This RFC is being requests as a Standards Track.
This is the correct type of RFC.

(2)

Technical Summary:

This document specifies two different ways for validating DNS resolvers
to signal to a server which DNSSEC keys are referenced in their chain-of-
trust.  The data from such signaling allow zone administrators to
monitor the progress of rollovers in a DNSSEC-signed zone.    This
document describes two independent methods for validating resolvers
to publish their referenced keys: an EDNS option and a different
DNS query.


Working Group Summary:

The working group was in strong consensus behind this document. One thing
which did emerge was that there was a division over two methods for
publishihng the keys (EDNS option vs a DNS query).  It turned out that each
method had its positives and its negatives.  The consensus from the working
group was to offer both alternatives, documents the flaws in each.

Document Shepherd: Tim Wicinski

Area Director:    Joel Jaeggli

(3)
The document shepherd did a deep dive on the document for technical
correctness, as well as an editorial pass for grammar and diction.
The shepherd feels this document is ready for publication.

(4)
The document shepherd does not have any concerns about the depth or breath of
the reviews.

(5)
No additional reviews needed.

(6)
The document shepherd has no concerns about this document for the Area
Directors.

(7) The authors have confirmed they are not aware of any IPR against this
document.

(9)
The working group is in strong consenus for this document.

(10)
There has been no extreme discontent.

(11)
No Nits found

(12)

(13)
All references have been identified as normative or informative

(14)
There are no normative references in an unclear state

(15
There are no downward normative references

(16)
Publication of this document will not change any existing RFCs

(17)
The IANA Considerations section requests the assignment of a new
EDNS0 option code.  Discussing with the Expert Reviewer of DNS parameters,
this section is correctly structured

(18)
No new IANA Registries.