Skip to main content

Early Review of draft-ietf-dnsop-dnssec-automation-02
review-ietf-dnsop-dnssec-automation-02-secdir-early-meadows-2024-03-15-00

Request Review of draft-ietf-dnsop-dnssec-automation
Requested revision No specific revision (document currently at 02)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2024-03-15
Requested 2024-02-28
Requested by Tim Wicinski
Authors Ulrich Wisser , Shumon Huque , Johan Stenstam
I-D last updated 2024-03-15
Completed reviews Dnsdir Early review of -02 by David C Lawrence
Secdir Early review of -02 by Catherine Meadows
Assignment Reviewer Catherine Meadows
State Completed
Request Early review on draft-ietf-dnsop-dnssec-automation by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/LpANoMzbzSl6h7dS9TFUlrqGJVs
Reviewed revision 02
Result Has issues
Completed 2024-03-15
review-ietf-dnsop-dnssec-automation-02-secdir-early-meadows-2024-03-15-00
I have reviewed draft-ietf-cose-type-header-parameters as part of
the security directorate's ongoing effort to review all IETF
documents being processed by the IESG. These comments were written
primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any
other last call comments

I do not see any serious problems with this draft.  However, there are a number
of minor things that need changing that go beyond nits, so I am rating this as
having issues.

1. Comments in the security considerations are all relevant and necessary.  My
only suggestion is to mention that it also inherits the security considerations
of 8901, 8078, and 7477.

2.All acronyms should be defined, e.g. in a glossary.

3. The terms “parent should be defined.

4.  The term “trust mechanism” should be defined.  I assume that goes beyond
just authenticating a principal but determining that it is authorized to do its
job, but this should be stated clearly.

5.  In section 4.2.2 it says

The minimum DNSKEY Waiting Time is the maximum of all DNSKEYS TTL
values from all signers plus the time it takes to publish the zone
on all secondaries.

How is the latter computed?  Or is the way the it is computed left up to the
implementor?

6.  This is the one I had the most trouble with. 4.9.  appears to be saying
that a setup in which different signers use different key  algorithms either
MUST NOT be allowed, or SHOULD be allowed, depending on which RFC you read. 
But then it says “So a Multi-Signer setup where different signers use different
key algorithms should still validate.”   I’m not sure why this conclusion is
made, unless it’s because SHOULD always outranks MUST NOT.  But I don’t see
anything in RFC 2119 about that.  That should be clarified.  Note that this
does not mean I see anything wrong with the reasoning with the rest of 4.9; it
seems reasonable.  But it seems to be discussing a scenario that is already
ruled out by the RFCs, and there no instructions for handling this case in the
current draft.  This needs be clarified.

Finally, some nits:

1. 4.1 number 4: signer or controller, number 4.  I think “signer controller”
should be “signer or controller”

Each Signer to be added, including the initial Signer, must meet the
following prerequisites before joining the Multi-Signer Group
   1. A working setup of the zone, including DNSSEC signing.

If the zone is the zone the Signer is entering, then it can’t be considered an
attribute of the signer.   This is confusing and the wording should be changed.

2. Section 4.9 doesn’t have any content.

3. Security considerations, second paragraph:  “steps to allows” should be
“steps to allow”