Wes,
It's been a while since I have had a look at this draft, my apologies.
I don't think it is ready for WGLC because I am not convinced the math
is correct. Section 6 defines the waitTime:
waitTime = addHoldDownTime
+ (DNSKEY RRSIG Signature Validity)
+ MAX(MIN((DNSKEY RRSIG Signature Validity) / 2,
MAX(original TTL of K_old DNSKEY RRSet) / 2,
15 days),
1 hour)
+ 2 * MAX(TTL of all records)
Which is the same as:
waitTime = addHoldDownTime
+ (DNSKEY RRSIG Signature Validity)
+ queryInterval
+ 2 * MAX(TTL of all records)
but reads better.
This should be the same as Itrp as defined in RFC 7583:
Itrp >= queryInterval + AddHoldDownTime + queryInterval
Basically these two differ at the following points:
1. Itrp does not include (DNSKEY RRSIG Signature Validity). It does
mention that the validator should not see a validly signed DNSKEY RRset
without the new key in that period. So adding (DNSKEY RRSIG Signature
Validity) is a good update.
2. waitTime only adds one queryInterval, while Itrp adds two. I believe
to be safe on the publishing side, two queryIntervals is needed. RFC
7583 explains:
A validator will treat it as a trust anchor the next
time it retrieves the RRset, a process that can take up to another
queryInterval (the third term).
3. waitTime adds two MAX(TTL of all records) (margin). The draft says
that it probably not needed, and I agree, and that explains why it is
missing from the Itrp definition.
4. Both definitions (Itrp and waitTime) don't really take into
consideration the retryTime defined in RFC 5011. Perhaps that can be
used for defining the extra safety margin.
5. Itrp actually is defined with a modifiedQueryInterval which excludes
the RRSIG expiration interval. Now this is recognized to be the time
between inception and expiration of the RRSIG, I actually think it does
not need to be removed from the equation. So Itrp could have worked with
just queryInterval.
Given these points I think the correct definition of waitTime is:
margin = 2 * MAX(TTL)
waitTime = addHoldDownTime
+ signatureValidity(DNSKEY)
+ 2 * queryInterval
+ margin
I think slop needs to be separated and it should be documented that this
is a suggested value for the slop.
Furthermore, this document should also give guidance on the wait time
before a revoked DNSKEY can be removed from the zone:
waitRemoveTime = signatureValidity(DNSKEY)
+ queryInterval
+ margin
This document should probably update RFC 7583 because it is giving a
better definition of Itrp and Irev.
For readability of the document I would like to suggest to move the
Attack example and breakdown to the Appendix.
Kind regards,
Matthijs
On 05-07-17 19:11, Wes Hardaker wrote:
>
> Folks,
>
> We believe that the latest draft-rfc5011-security-considerations
> document is ready for WGLC, and would like the chairs to start that
> process unless anyone thinks it's not ready to go forward. In
> particular, we believe all outstanding issues with it have been
> resolved.
>
> Objections?
>
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
