Document: draft-ietf-dnsext-tsig-sha-05.txt Reviewer: Elwyn Davies [elwynd@dial.pipex.com] Review Date: Friday 12/9/2005 12:46 PM CST LC Date: 12/12/2005 Summary: This document appears to have some issues, one significant and some minor ones. This document updates RFC2845 but it does not appear to consider interoperability with existing implementations. A related issue is that it defines a number of optional to implement features but does not appear to indicate how a receiver can inform a sender that it does not support the sender's chosen algorithm (an RFC2845 implementation just supports one algorithm) and at a quick glance I couldn't find anything in RFC2845 that covers this issue. There are also some editorial nits. Details: s2: This specification introduces a number of optional to implement algorithms but doesn't appear to have any way for a recipient to notify the sender that it does not support the sender's chosen algorithm and what should happen in this case. This also has a bearing on interoperability between new senders (conforming to this draft) and old receivers that only support RFC2845. Some words on interoperability should be included. Consideration should also be given to whether the resulting specification is vulnerable to a bidding down attack. s2: I am not sure why the gss-tsig identifier doesn't appear as an Optional entry in the table at the end of the section. s3.1: The statement in the last para that the protocol SHOULD support SHA-1 truncated to 96 bits seems a bit out of place in this section. It probably deserves a separate section however short and possibly a mention in the policy section as it is implying that this is a good thing to generate/accept. s9: I think RFCs 3174, 3645 and 3874 plus the [SHA2draft] references are normative since they specify algorithms which are used by this protocol. Editorial: Abstract/Intro: Lots of acronyms need expanding, including TSIG, DNS, GSS, HMAC, SHA. s1, para 3: s/meaning/effect/ s4, para 1: s/doucment/document/ s4, para 5: s/spearate/separate/ s6, para 1: s/brute force/break the authentication by brute force/