Telechat Review of draft-ietf-dnsop-dns-zone-digest-11
review-ietf-dnsop-dns-zone-digest-11-secdir-telechat-eastlake-2020-10-01-00

Request Review of draft-ietf-dnsop-dns-zone-digest
Requested rev. no specific revision (document currently at 14)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2020-10-06
Requested 2020-09-21
Authors Duane Wessels, Piet Barber, Matt Weinberg, Warren Kumari, Wes Hardaker
Draft last updated 2020-10-01
Completed reviews Secdir Last Call review of -09 by Donald Eastlake (diff)
Genart Last Call review of -09 by Elwyn Davies (diff)
Secdir Telechat review of -11 by Donald Eastlake (diff)
Assignment Reviewer Donald Eastlake 
State Completed
Review review-ietf-dnsop-dns-zone-digest-11-secdir-telechat-eastlake-2020-10-01
Posted at https://mailarchive.ietf.org/arch/msg/secdir/8GvAHKqSKqwjgGM27Y8zNq9K_jI
Reviewed rev. 11 (document currently at 14)
Review result Ready
Review completed: 2020-09-27

Review
review-ietf-dnsop-dns-zone-digest-11-secdir-telechat-eastlake-2020-10-01

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. Document editors and WG chairs should treat these comments just
like any other last call comments.

The summary of the review is Ready with Nits.

Overall, I am pretty happy with the state of the draft. Essentially
all of the comments from my review of -09 have been resolved and I
don't see any problem with other changes that have been made. However,
on reviewing -11, I did come up with a few things as listed below.

Section 2, last sentence right before the Section 2.1 header, should
"recommended" be all capital?

Something I didn't notice in my first review:
Section 2.2.1, ZONEMD already covers the SOA that is in the zone and
so includes the zone serial in its Digest. Thus it seems a little odd
to say that the field is needed to make the DNS response meaningful.
I'm not suggesting removing the field or anything... Perhaps some
wording change like the following:
OLD
   It is included here in order to make DNS response messages of type
   ZONEMD meaningful.  Without the serial number, a stand-alone ZONEMD
   digest has no association to any particular instance of a zone.
NEW
   It is included here to clearly bind the ZONEMD RR to a particular
   version of the zone's content. Without the serial number, a
   stand-alone ZONEMD digest has no obvious association to any
   particular instance of a zone.

Section 3.1, last sentence just before the Section 3.2 header: This
says ZONEMD RRs are excluded from digest calculation but in Section
2.1 it says that non-apex ZONEMD RRs are treated are ordinary RRs and
included. I think that 2.1 is correct and suggest inserting the word
"apex" so the last sentence of Section 3.1 starts with "Since apex
ZONEMD RRs are excluded ..." Although less important, "apex" probably
should also be inserted before "ZONEMD" in the fourth and sixth bullet
points of Section 3.3.1.1.

Section 5.3, the last sentence, after the table, is no longer needed,
since that information is given above the table, so it should be
deleted.

Section 6.2: Need to expand KSK on first use or alternatively, since it
is the only use, just not use the acronym at all and spell it out in
full.

Section 6.3: Size estimate for ZONEMD RR seems a bit low, perhaps
based on algorithms in earlier versions of the draft with shorter
digests. I would say 55 to 85 octets would be a better current
estimate.

Section 6.4: In the second paragraph, I think you mean "private use
hash algorithm code points", not "private use hash algorithms".

That's it.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com