[art] draft-ietf-dnsop-delext-08 ietf last call Artart review
Jiankang Yao via Datatracker <noreply@ietf.org> Sat, 11 July 2026 06:06 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: art@ietf.org
Delivered-To: art@mail2.ietf.org
Received: from [10.244.21.112] (gaia.k8s.ietf.org [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id 8BB80114F1362; Fri, 10 Jul 2026 23:06:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783749988; bh=b3j3d0PYFgrIJtQff638Qml/MR7+rjvL5prbZ1yFek4=; h=From:To:Cc:Subject:Reply-To:Date; b=fgpVe4eaH+jlstaN9BxpVbXJfKeAuQVn2p/zTMehetaEGBMUtHTj09cMPxD3Zetje B+4Q9C2UUghd5L8wBePLI/n6j4aM4N2Lcxh1iNYlJd8qQIbuCHLEOfZAbLRcUCOnhy YoIlkyct4uhjPb960trBkb1FU0ma5hcZiP7Ii81I=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Jiankang Yao via Datatracker <noreply@ietf.org>
To: art@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.69.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <178374998843.143837.11459578927193705236@dt-datatracker-d4d6ff9d9-kg6bf>
Date: Fri, 10 Jul 2026 23:06:28 -0700
Message-ID-Hash: LWLPDGD7LUTSLD3OOYJXBYM6QWEG7GEG
X-Message-ID-Hash: LWLPDGD7LUTSLD3OOYJXBYM6QWEG7GEG
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-art.ietf.org-0; header-match-art.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, draft-ietf-dnsop-delext.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Jiankang Yao <yaojk@cnnic.cn>
Subject: [art] draft-ietf-dnsop-delext-08 ietf last call Artart review
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/l3mBRgH6rhgxaXKbl6XGOMDdAE4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Owner: <mailto:art-owner@ietf.org>
List-Post: <mailto:art@ietf.org>
List-Subscribe: <mailto:art-join@ietf.org>
List-Unsubscribe: <mailto:art-leave@ietf.org>
Document: draft-ietf-dnsop-delext Title: DNS Protocol Modifications for Delegation Extensions Reviewer: Jiankang Yao Review result: Almost Ready I am the assigned ART-ART reviewer for this draft. The Art Area Review Team (ART-ART) reviews all IETF documents being processed by the IESG. Please treat these comments just like any other last call comments. Document: draft-ietf-dnsop-delext-08 Reviewer: Jiankang Yao Review Date: 2026-07-11 Summary: Almost Ready. This document specifies modifications to the DNS protocol to permit a range of Resource Record types at delegation points. These modifications are proposed to design to maintain compatibility with existing DNS resolution mechanisms. I think that this is a very big change to DNS. DNS is very important to Internet. It needs very careful review from IETF. One suggestion: Section 4.1 specifies that authoritative servers omit NS RRsets and return only Delegation Type RRsets in referrals when DE=1. This introduces ambiguous caching behavior for recursive resolvers in mixed deployment environments: A resolver may first receive a DE=1 referral for a zone (carrying Delegation Type RRsets, no NS records), which it caches normally. A subsequent DE=0 or DELEXT-unaware query for the identical zone will trigger a traditional referral containing NS RRsets, populating the resolver cache with NS data. Section 5.2 prohibits caching NS records obtained from DE=1 referrals, but the draft provides no clear rules governing NS records retrieved via DE=0 queries or DELEXT-unaware queries that coexist with cached Delegation Type RRsets for the same name. Since most real-world DNS clients may continue to send DE=0 or DELEXT-unaware query queries long after DELEXT deployment, the specification needs additional text to define resolver cache handling of NS RRsets. One Question: Is this Potential DoS vulnerability from no cached NS fallback under DE=1? Section 4.1 mandates authoritative servers omit NS RRsets in DE=1 referrals, and Section 5.2 forbids resolvers from caching NS records associated with DE=1 delegations. If a DE=1 referral’s Delegation Type data fails to yield usable resolution endpoints for any reason, the resolver holds no cached NS fallback records for the zone example.com. The DNS clients will try and try again since they can not get the right DNS resolution of exaample.com. Do they open a denial-of-service attack?
- [art] draft-ietf-dnsop-delext-08 ietf last call A… Jiankang Yao via Datatracker