Skip to main content

Early Review of draft-cuiling-dnsop-sm2-alg-11

Request Review of draft-cuiling-dnsop-sm2-alg-10
Requested revision 10 (document currently at 15)
Type Early Review
Team DNS Directorate (dnsdir)
Deadline 2023-12-07
Requested 2023-11-07
Requested by Eliot Lear
Authors Cuiling Zhang , Yukun Liu , Feng Leng , Qi Zhao , Zheng He
I-D last updated 2023-11-11
Completed reviews Dnsdir Early review of -11 by Geoff Huston (diff)
Review guidelines for the ISE are at  In addition, I would ask if Cathy is properly integrating SM2/SM3 for dnssec.
Assignment Reviewer Geoff Huston
State Completed
Request Early review on draft-cuiling-dnsop-sm2-alg by DNS Directorate Assigned
Posted at
Reviewed revision 11 (document currently at 15)
Result Ready w/nits
Completed 2023-11-11
This reviewer has no competence to comment on the quality of SM2 and SM3 in the
context of use by DNSEC as a crypto algorithm.

The document is generally readable and clear. There are some nits and open
questions that have been prompted by this review, as follows:

1. In the introduction it would be better to reference the IANA registry of
DNSSEC algorithms explicitly. i.e.: Replace the last sentence with “DNSSEC
signature algorithms are registered in the DNSSEC algorithm IANA registry
[IANA]" Where [IANA] refers to]”

2. Second para: “a new signing algorithm” - drop the ‘a’

3. “algorithm is SM3 with digest type code [TBD1]” - its unclear if this TDB1
is waiting for an IANA code assignment or waiting on some third party code

4. “And the parameters of the curve used in this document are as follows:” -
drop the “And”

5. Is this a “document” or a “profile” in the previous sentence? I suspect its
a “profile”

6. Security considerations

  “The security strength of SM2 is considered to be equivalent to half the size
  of the key, which is 128 bits.”
   A reference to support this "is considered" assertion would help a lot here.

   “For another thing, the security of ECC-based algorithms is influenced by
   the curve it uses.”
    Is a clumsy expression - I suggest dropping “For another thing”

  “ Thus it's recommended that the DNS server implementations use popular
  cryptography library which support SM2 and SM3 algorithms, such as OpenSSL. 
  Thus it's convenient to use a different curve if SM2 is compromised.”

  Is this a RECOMMEND form of advice?

  Its also unclear to this reviewer what this is actually recommending.

  7. I am unsure of the intent of the inclusion of Appendix A. It seems to be a
  standard NSEC3-signed zone signed with algorithm TDB2. What purpose does the
  inclusion of this appendix serve?