Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
draft-ietf-dnsext-dnssec-gost-07
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the No Record position for Cullen Jennings |
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the No Objection position for Tim Polk |
2012-08-22
|
07 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2010-04-05
|
07 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2010-04-02
|
07 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2010-04-02
|
07 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2010-04-01
|
07 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2010-03-31
|
07 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2010-03-30
|
07 | Amy Vezza | IESG state changed to Approved-announcement sent |
2010-03-30
|
07 | Amy Vezza | IESG has approved the document |
2010-03-29
|
07 | (System) | IANA Action state changed to In Progress |
2010-03-29
|
07 | Amy Vezza | IESG state changed to Approved-announcement sent |
2010-03-29
|
07 | Amy Vezza | IESG has approved the document |
2010-03-29
|
07 | Amy Vezza | Closed "Approve" ballot |
2010-03-29
|
07 | Amy Vezza | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Amy Vezza |
2010-03-25
|
07 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2010-03-24
|
07 | Cullen Jennings | [Ballot Position Update] Position for Cullen Jennings has been changed to Undefined from Discuss by Cullen Jennings |
2010-03-18
|
07 | Alexey Melnikov | [Ballot Position Update] Position for Alexey Melnikov has been changed to No Objection from Discuss by Alexey Melnikov |
2010-03-18
|
07 | Alexey Melnikov | [Ballot comment] As per Olafur, there is WG consensus not to register the new hashing function in the IANA registry established by RFC 5155. … [Ballot comment] As per Olafur, there is WG consensus not to register the new hashing function in the IANA registry established by RFC 5155. So I am downgrading this to a COMMENT. 6.1. Support for GOST signatures DNSSEC aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the GOST algorithms as defined in this document. Use of this SHOULD was debated in details on SecDir mailing list. People has suggested that this should be a MAY. I don't think a choice of SHOULD versa MAY actually matters in this case, because this document doesn't say that it "Updates" RFC 4034 (And I think it a good case should be made that it shouldn't include "Updates: RFC 4034".) and because the document clearly states that the newly registered algorithms are OPTIONAL to support. Note that I also generally agree with concerns about introducing additional signature/hashing algorithms for use in DNSSEC, however I think that any DNSSEC policy on this is out of scope for the document. And the document is currently silent on this anyway. |
2010-03-18
|
07 | Alexey Melnikov | [Ballot discuss] |
2010-03-17
|
07 | Pasi Eronen | [Ballot comment] |
2010-03-09
|
07 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Undefined by Tim Polk |
2010-03-09
|
07 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to Undefined from Discuss by Tim Polk |
2010-03-06
|
07 | Alexey Melnikov | [Ballot comment] 6.1. Support for GOST signatures DNSSEC aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the … [Ballot comment] 6.1. Support for GOST signatures DNSSEC aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the GOST algorithms as defined in this document. Use of this SHOULD was debated in details on SecDir mailing list. People has suggested that this should be a MAY. I don't think a choice of SHOULD versa MAY actually matters in this case, because this document doesn't say that it "Updates" RFC 4034 (And I think it a good case should be made that it shouldn't include "Updates: RFC 4034".) and because the document clearly states that the newly registered algorithms are OPTIONAL to support. Note that I also generally agree with concerns about introducing additional signature/hashing algorithms for use in DNSSEC, however I think that any DNSSEC policy on this is out of scope for the document. And the document is currently silent on this anyway. |
2010-03-06
|
07 | Alexey Melnikov | [Ballot discuss] [The DISCUSS part was updated as per draft-ietf-dnsext-dnssec-gost-07.txt. The COMMENT part is the same and no action is required from authors.] I generally … [Ballot discuss] [The DISCUSS part was updated as per draft-ietf-dnsext-dnssec-gost-07.txt. The COMMENT part is the same and no action is required from authors.] I generally have no objections to this work. But I have one issue that needs to be clarified/discussed before I can recommend approval of this document: 1) In Section 8 (IANA Considerations): This document updates the RFC 4034 Digest Types assignment (section A.2)by adding the value and status for the GOST R 34.11-94 algorithm: Value Algorithm Status {TBA2} GOST R 34.11-94 OPTIONAL Does this also need registering in the IANA registry established by RFC 5155? |
2010-03-06
|
07 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2010-03-06
|
07 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-07.txt |
2010-03-05
|
07 | (System) | Removed from agenda for telechat - 2010-03-04 |
2010-03-04
|
07 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2010-03-04
|
07 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2010-03-04
|
07 | Lisa Dusseault | [Ballot Position Update] New position, No Objection, has been recorded by Lisa Dusseault |
2010-03-04
|
07 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded by Robert Sparks |
2010-03-04
|
07 | Pasi Eronen | [Ballot comment] I support Tim's and Russ's DISCUSS. |
2010-03-04
|
07 | Pasi Eronen | [Ballot comment] I support Tim's and Russ's DISCUSS. |
2010-03-04
|
07 | Pasi Eronen | [Ballot Position Update] New position, No Objection, has been recorded by Pasi Eronen |
2010-03-03
|
07 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded by Magnus Westerlund |
2010-03-03
|
07 | Cullen Jennings | [Ballot discuss] When I read it was chosen to send these blobs on the wire "as is" without transformation … [Ballot discuss] When I read it was chosen to send these blobs on the wire "as is" without transformation of endianness. Do I understand this correctly that the byte order is not specified? Needless to say that does not sound interoperable to me. |
2010-03-03
|
07 | Cullen Jennings | [Ballot Position Update] New position, Discuss, has been recorded by Cullen Jennings |
2010-03-03
|
07 | Ralph Droms | State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Ralph Droms |
2010-03-03
|
07 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded by Adrian Farrel |
2010-03-03
|
07 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2010-03-02
|
07 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica |
2010-03-02
|
07 | Russ Housley | [Ballot comment] Please consider the comments from the Gen-ART Review by Vijay Gurbani on 19-Feb-2010: 1) In the Abstract, the draft has references … [Ballot comment] Please consider the comments from the Gen-ART Review by Vijay Gurbani on 19-Feb-2010: 1) In the Abstract, the draft has references of the form "[DRAFT1, DRAFT2, DRAFT3]". I would humbly suggest that these be removed from the Abstract and placed in the body of the document. In their current form, these references appear, well ... temporary, given their names (DRAFT1, etc.) I have come across services that index IETF RFCs and also include the abstract in the index. In that context, having an Abstract include references to seemingly impermanent placeholders appears disconcerting. Note that references to RFC numbers themselves -- as the Abstract also shows -- is okay since RFC numbers denote some sort of permanence. 2) The references "DRAFT1" etc. seem to best fit in Section 1, paragraph 4. |
2010-03-02
|
07 | Russ Housley | [Ballot discuss] Section 6.1 says: > > DNSSEC aware implementations SHOULD be able to support RRSIG and > DNSKEY resource records created … [Ballot discuss] Section 6.1 says: > > DNSSEC aware implementations SHOULD be able to support RRSIG and > DNSKEY resource records created with the GOST algorithms as > defined in this document. > Yet, the IANA Considerations in Section 8 say that support for this algorithm is OPTIONAL. These seem to be in conflict. The 'SHOULD' needs to be removed, and the sentence reworded to clearly state that support for this algorithm is OPTIONAL. |
2010-03-02
|
07 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to Discuss from No Objection by Russ Housley |
2010-03-02
|
07 | Tim Polk | [Ballot discuss] 6.1. Support for GOST signatures DNSSEC aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the … [Ballot discuss] 6.1. Support for GOST signatures DNSSEC aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the GOST algorithms as defined in this document. There has been extensive discussion of this topic on the ietf and secdir lists. IMHO, this document has demonstrated community consensus but with a "MAY support" rather than a "MUST support". |
2010-03-02
|
07 | Tim Polk | [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk |
2010-02-28
|
07 | Russ Housley | [Ballot comment] Please consider the comments from the Gen-ART Review by Vijay Gurbani on 19-Feb-2010: 1) In the Abstract, the draft has references … [Ballot comment] Please consider the comments from the Gen-ART Review by Vijay Gurbani on 19-Feb-2010: 1) In the Abstract, the draft has references of the form "[DRAFT1, DRAFT2, DRAFT3]". I would humbly suggest that these be removed from the Abstract and placed in the body of the document. In their current form, these references appear, well ... temporary, given their names (DRAFT1, etc.) I have come across services that index IETF RFCs and also include the abstract in the index. In that context, having an Abstract include references to seemingly impermanent placeholders appears disconcerting. Note that references to RFC numbers themselves -- as the Abstract also shows -- is okay since RFC numbers denote some sort of permanence. 2) The references "DRAFT1" etc. seem to best fit in Section 1, paragraph 4. |
2010-02-28
|
07 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley |
2010-02-28
|
07 | Alexey Melnikov | [Ballot comment] 6.1. Support for GOST signatures DNSSEC aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the … [Ballot comment] 6.1. Support for GOST signatures DNSSEC aware implementations SHOULD be able to support RRSIG and DNSKEY resource records created with the GOST algorithms as defined in this document. Use of this SHOULD was debated in details on SecDir mailing list. People has suggested that this should be a MAY. I don't think a choice of SHOULD versa MAY actually matters in this case, because this document doesn't say that it "Updates" RFC 4034 (And I think it a good case should be made that it shouldn't include "Updates: RFC 4034".) and because the document clearly states that the newly registered algorithms are OPTIONAL to support. Note that I also generally agree with concerns about introducing additional signature/hashing algorithms for use in DNSSEC, however I think that any DNSSEC policy on this is out of scope for the document. And the document is currently silent on this anyway. |
2010-02-28
|
07 | Alexey Melnikov | [Ballot discuss] I generally have no objections to this work. But I have a couple of issues that need to be discussed before I can … [Ballot discuss] I generally have no objections to this work. But I have a couple of issues that need to be discussed before I can recommend approval of this document: 1) In Section 6.2: Any DNSSEC-GOST implementation is required to have either NSEC or NSEC3 support. (COMMENT) I think this should use RFC 2119 language. But more importantly, I think this is missing a Normative Reference to RFC 5155. If that is the case, then you should also register the new hashing alrogithm in the following IANA registry: 2) In Section 8: This document updates the RFC 4034 Digest Types assignment (section A.2)by adding the value and status for the GOST R 34.11-94 algorithm: Value Algorithm Status {TBA2} GOST R 34.11-94 OPTIONAL I think you meant the following IANA registry: ? Can you please confirm. |
2010-02-28
|
07 | Alexey Melnikov | [Ballot Position Update] New position, Discuss, has been recorded by Alexey Melnikov |
2010-02-24
|
07 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2010-02-17
|
07 | Amanda Baber | IANA questions/comments: ACTION 1: make a new assignment in the "DNS Security Algorithm Numbers" registry at http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml Number: TBA1 Description: GOST R 34.10-2001 Mnemonic: GOST … IANA questions/comments: ACTION 1: make a new assignment in the "DNS Security Algorithm Numbers" registry at http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml Number: TBA1 Description: GOST R 34.10-2001 Mnemonic: GOST ZoneSigning: Y Trans.Sec.: * Reference: [RFC-dnsext-dnssec-gost-06] QUESTION: Section 8 requests an assignment for DNSSEC algorithm numbers. The request contains the column "Status" with the value "OPTIONAL". Currently, the registry does not contain such column. Should IANA ignore this column or create a new column in the registry? ACTION 2: make a new assignment in the "Digest Algorithms" registry at http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml Value: TBA2 Description: GOST R 34.11-94 Status: OPTIONAL Reference: [RFC-dnsext-dnssec-gost-06] |
2010-02-10
|
07 | Amy Vezza | Last call sent |
2010-02-10
|
07 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2010-02-10
|
07 | Ralph Droms | Placed on agenda for telechat - 2010-03-04 by Ralph Droms |
2010-02-10
|
07 | Ralph Droms | State Changes to Last Call Requested from AD Evaluation by Ralph Droms |
2010-02-10
|
07 | Ralph Droms | Last Call was requested by Ralph Droms |
2010-02-10
|
07 | Ralph Droms | [Ballot Position Update] New position, Yes, has been recorded for Ralph Droms |
2010-02-10
|
07 | Ralph Droms | Ballot has been issued by Ralph Droms |
2010-02-10
|
07 | Ralph Droms | Created "Approve" ballot |
2010-02-10
|
07 | (System) | Ballot writeup text was added |
2010-02-10
|
07 | (System) | Last call text was added |
2010-02-10
|
07 | (System) | Ballot approval text was added |
2010-01-14
|
07 | Samuel Weiler | Request for Early review by SECDIR Completed. Reviewer: Richard Barnes. |
2010-01-09
|
07 | Samuel Weiler | Request for Early review by SECDIR Completed. Reviewer: Stephen Kent. |
2009-12-24
|
07 | Samuel Weiler | Request for Early review by SECDIR is assigned to Richard Barnes |
2009-12-24
|
07 | Samuel Weiler | Request for Early review by SECDIR is assigned to Richard Barnes |
2009-12-24
|
07 | Samuel Weiler | Request for Early review by SECDIR is assigned to Stephen Kent |
2009-12-24
|
07 | Samuel Weiler | Request for Early review by SECDIR is assigned to Stephen Kent |
2009-12-24
|
07 | Samuel Weiler | Request for Early review by SECDIR is assigned to David McGrew |
2009-12-24
|
07 | Samuel Weiler | Request for Early review by SECDIR is assigned to David McGrew |
2009-12-18
|
07 | Ralph Droms | State Changes to AD Evaluation from Publication Requested by Ralph Droms |
2009-12-18
|
07 | Ralph Droms | [Note]: 'Olafur Gudmundsson (ogud@ogud.com) is the document shepherd.' added by Ralph Droms |
2009-12-16
|
07 | Cindy Morgan | (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the … (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? Olafur Gudmundsson DNSEXT co-chair. This version has addressed all issues raised in the working group last call and the document is ready for publication. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? Yes it has. No concerns about quality of review. (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization, or XML? This document should be reviewed by the security area. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. There was some push back as to if this document should be published on standards track or informational. This document is making registrations in registries that require Standards action, thus only Standards track documents can perform these registrations. The working group is comfortable with Standards track. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? This is always hard to judge, the core members of the working group seem to understand the issues and discussing this document brought in new participants. My understanding is that the average WG members sees no problem or issue in this becoming an RFC. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) No, (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/.) Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type, and URI type reviews? If the document does not already indicate its intended status at the top of the first page, please indicate the intended status here. Yes, I have checked the document, no nits. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. Yes references are split. Normative references 4357 is informational but that RFC is in http://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry thus IMHO this is OK. (1.i) Has the Document Shepherd verified that the document's IANA Considerations section exists and is consistent with the body of the document? If the document specifies protocol extensions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC2434]. If the document describes an Expert Review process, has the Document Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during IESG Evaluation? The document IANA actions are clearly identified. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? YES (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction. This document defines the use of new digital signature algorithm, the specifications of this algorithm was originally published in Russian but an English translation is in the RFC editors queue. The document describes how to publish a public key in a DNSKEY record, how to convert the public key into a construct used by crypto libraries, and how to generate digital signature and publish it in a RRSIG. The documents further describes how to publish an authorizing DS record for a DNSKEY using a corresponding digest algorithms. Working Group Summary Was there anything in the WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? The consensus for this document is strong. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type, or other Expert Review, what was its course (briefly)? In the case of a Media Type Review, on what date was the request posted? This document has been reported by few DNS implementors to be clear enough to be implementable. There have been changes in the wire format between the different versions, using random testing codes for IANA requested values. This document is similar in many respects to RFC5702 and RFC 4509 as the DNS inter operability issues are identical. The only difference is the underlying technologies, RSA/SHA2 vs GOST R 34.10-2001/GOST R 34.11-94. Personnel Who is the Document Shepherd for this document? Who is the Responsible Area Director? If the document requires IANA experts(s), insert 'The IANA Expert(s) for the registries in this document are .' Document Shepherd is: Olafur Gudmundsson AD: Ralph Droms Olafur and Andrew |
2009-12-16
|
07 | Cindy Morgan | Draft Added by Cindy Morgan in state Publication Requested |
2009-12-16
|
07 | Cindy Morgan | [Note]: 'Olafur Gudmundsson (ogud@ogud.com) is the document shepherd.' added by Cindy Morgan |
2009-12-12
|
06 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-06.txt |
2009-12-01
|
05 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-05.txt |
2009-11-22
|
04 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-04.txt |
2009-11-12
|
03 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-03.txt |
2009-11-10
|
02 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-02.txt |
2009-10-18
|
01 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-01.txt |
2009-09-23
|
00 | (System) | New version available: draft-ietf-dnsext-dnssec-gost-00.txt |