I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments
you may receive.
Document: draft-ietf-dnsext-dnssec-bis-updates-18
Reviewer: Richard Barnes
Review Date: May-25-2012
IETF LC End Date: Not known
IESG Telechat date: Jan-05-2012
Summary: Almost ready, couple of questions
MAJOR:
4.1.
It's not clear what the threat model is that this section is designed to
address. If the zone operator is malicious, then it can simulate the necessary
zone cut and still prove the non-existence of records in the child zone.
5.10.
I find the recommendation of the "Accept Any Success" policy troubling. It
deals very poorly with compromise (and other roll-over scenarios): Suppose
there are two trust anchors, one for example.com and one for child.example.com.
If the private key corresponding to the TA for child.example.com is
compromised, but the validator continues to trust it, this negates the benefit
provided by the parent (example.com) facilitating a rollover. Suggest an
alternative policy, "Highest Signer": Out of the set of keys configured as TAs,
the validator only uses a key as a TA (for purposes of validation) if there
does not exist a DNSSEC path from it to any other TA. This policy seems like
more work to enforce (because you have to do more backward chaining), but ISTM
that the validator should have the necessary DNSSEC records anyway, so it's
just a matter a couple of quick checks.