--- 1/draft-ietf-dnsop-rfc2845bis-08.txt 2020-07-10 08:13:14.136842886 -0700 +++ 2/draft-ietf-dnsop-rfc2845bis-09.txt 2020-07-10 08:13:14.200844509 -0700 @@ -1,26 +1,26 @@ Internet Engineering Task Force F. Dupont Internet-Draft S. Morris Obsoletes: 2845, 4635 (if approved) ISC Intended status: Standards Track P. Vixie -Expires: November 5, 2020 Farsight +Expires: January 11, 2021 Farsight D. Eastlake 3rd Futurewei O. Gudmundsson Cloudflare B. Wellington Akamai - May 4, 2020 + July 10, 2020 Secret Key Transaction Authentication for DNS (TSIG) - draft-ietf-dnsop-rfc2845bis-08 + draft-ietf-dnsop-rfc2845bis-09 Abstract This document describes a protocol for transaction level authentication using shared secrets and one way hashing. It can be used to authenticate dynamic updates to a DNS zone as coming from an approved client, or to authenticate responses as coming from an approved name server. No recommendation is made here for distributing the shared secrets: @@ -37,21 +37,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 5, 2020. + This Internet-Draft will expire on January 11, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -754,21 +754,21 @@ Implementations that support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY implement gss-tsig and the other algorithms listed below. SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. Name Implementation Use ------------------------ -------------- --------------- HMAC-MD5.SIG-ALG.REG.INT MAY MUST NOT gss-tsig MAY MAY hmac-sha1 MUST NOT RECOMMENDED - hmac-sha224 MAY NOT RECOMMENDED + hmac-sha224 MAY MAY hmac-sha256 MUST RECOMMENDED hmac-sha256-128 MAY MAY hmac-sha384 MAY MAY hmac-sha384-192 MAY MAY hmac-sha512 MAY MAY hmac-sha512-256 MAY MAY Table 2 7. TSIG Truncation Policy @@ -1296,37 +1296,41 @@ * Reworked the section on client processing of response to remove ambiguity. * Section on TSIG over TCP now mentions zone transfer as an example, rather than the entire section being about zone transfers. * Note that quote from RFC2845 in "What is DNSSEC?" section has been edited to refer to the latest standards. + draft-ietf-dnsop-rfc2845bis-09 + + Change use of hmac-224 from NOT RECOMMENDED to MAY. + Authors' Addresses Francis Dupont Internet Systems Consortium, Inc. PO Box 360 Newmarket, NH 03857 United States of America Email: Francis.Dupont@fdupont.fr - Stephen Morris Internet Systems Consortium, Inc. PO Box 360 Newmarket, NH 03857 United States of America Email: sa.morris8@gmail.com + Paul Vixie Farsight Security Inc 177 Bovet Road, Suite 180 San Mateo, CA 94402 United States of America Email: paul@redbarn.org Donald E. Eastlake 3rd Futurewei Technologies