While approving the IANA allocations I re-read the document again, and
I have some more comments that might make the document more
understandable.
--
In section 4.1 there is example of example.com, but it would be better
to put quotes around it it, i.e., change
A Fully Qualified Domain Name used for Split DNS rules, such
as example.com, ...
with
A Fully Qualified Domain Name used for Split DNS rules, such
as "example.com", ...
as we do in the RFC7296 section 3.5 for ID_FQDN.
--
In section 4.2 there is "Digest Type" in the figure, but the
list has only item for "DS algorithm". Make those same.
--
It is bit misleading to say that "Key Tag", "Algorithm", "DS algoritm"
etc can either be 0 or 2/1/1 etc octets long. How does the receiver
know what is going to be the length of the "Key Tag" value for
example?
I assume the intent has been to say that either all the fields are
there with fixed lengths, or they are all omitted, meaning the length
is 0 for all of them.
The current section 4.2 does not clearly indicate that.
I would propose following change:
----------------------------------------------------------------------
4.2. INTERNAL_DNSSEC_TA Configuration Attribute
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+
|R| Attribute Type | Length |
+-+-----------------------------+---------------+---------------+
| |
~ DNSSEC Trust Anchor Data ~
| |
+---------------------------------------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA.
o Length (2 octets, unsigned integer) - Length of DNSSEC Trust
Anchor data.
o DNSSEC Trust Anchor Data (0 or more octets) - Either empty or
DNSSEC Trust Anchor data in format specified in the the
[RFC4034] Section 5.1 (copied here for conveniency):
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-------------------------------+---------------+---------------+
| Key Tag | Algorithm | Digest Type |
+-------------------------------+---------------+---------------+
| |
~ Digest ~
| |
+---------------------------------------------------------------+
o Key Tag value (2 octets, unsigned integer) - Key Tag as
specified in [RFC4034] Section 5.1
o Algorithm (1 octet) - DNSKEY algorithm value from the IANA DNS
Security Algorithm Numbers Registry
o Digest Type (1 octet) - DS algorithm value from the IANA
Delegation Signer (DS) Resource Record (RR) Type Digest
Algorithms Registry
o Digest (length specified by the Digest Type field octets) - The
DNSKEY digest as specified in [RFC4034] Section 5.1 in
presentation format.
----------------------------------------------------------------------
I.e., split the figure in two pieces, where first one just says we
have the DS RDATA inside (or not in case of request and then the
length is 0), and then explain the DS RDATA format after that...
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
