[art] draft-ietf-dnsop-delext-08 ietf last call Artart review

Jiankang Yao via Datatracker <noreply@ietf.org> Sat, 11 July 2026 06:06 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: art@ietf.org
Delivered-To: art@mail2.ietf.org
Received: from [10.244.21.112] (gaia.k8s.ietf.org [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id 8BB80114F1362; Fri, 10 Jul 2026 23:06:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783749988; bh=b3j3d0PYFgrIJtQff638Qml/MR7+rjvL5prbZ1yFek4=; h=From:To:Cc:Subject:Reply-To:Date; b=fgpVe4eaH+jlstaN9BxpVbXJfKeAuQVn2p/zTMehetaEGBMUtHTj09cMPxD3Zetje B+4Q9C2UUghd5L8wBePLI/n6j4aM4N2Lcxh1iNYlJd8qQIbuCHLEOfZAbLRcUCOnhy YoIlkyct4uhjPb960trBkb1FU0ma5hcZiP7Ii81I=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Jiankang Yao via Datatracker <noreply@ietf.org>
To: art@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.69.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <178374998843.143837.11459578927193705236@dt-datatracker-d4d6ff9d9-kg6bf>
Date: Fri, 10 Jul 2026 23:06:28 -0700
Message-ID-Hash: LWLPDGD7LUTSLD3OOYJXBYM6QWEG7GEG
X-Message-ID-Hash: LWLPDGD7LUTSLD3OOYJXBYM6QWEG7GEG
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-art.ietf.org-0; header-match-art.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, draft-ietf-dnsop-delext.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Jiankang Yao <yaojk@cnnic.cn>
Subject: [art] draft-ietf-dnsop-delext-08 ietf last call Artart review
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/l3mBRgH6rhgxaXKbl6XGOMDdAE4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Owner: <mailto:art-owner@ietf.org>
List-Post: <mailto:art@ietf.org>
List-Subscribe: <mailto:art-join@ietf.org>
List-Unsubscribe: <mailto:art-leave@ietf.org>

Document: draft-ietf-dnsop-delext
Title: DNS Protocol Modifications for Delegation Extensions
Reviewer: Jiankang Yao
Review result: Almost Ready

I am the assigned ART-ART reviewer for this draft. The Art Area
Review Team (ART-ART) reviews all IETF documents being processed
by the IESG.  Please treat these comments just
like any other last call comments.

Document: draft-ietf-dnsop-delext-08
Reviewer: Jiankang Yao
Review Date: 2026-07-11

Summary: Almost Ready.

This document specifies modifications to the DNS protocol to permit a range of
Resource Record types at delegation points. These modifications are proposed to
design to maintain compatibility with existing DNS resolution mechanisms.

I think that this is a very big change to DNS.
DNS is very important to Internet. It needs very careful review from IETF.

One suggestion:
Section 4.1 specifies that authoritative servers omit NS RRsets and return only
Delegation Type RRsets in referrals when DE=1. This introduces ambiguous
caching behavior
 for recursive resolvers in mixed deployment environments:

A resolver may first receive a DE=1 referral for a zone (carrying Delegation
Type RRsets, no NS records), which it caches normally. A subsequent DE=0 or
DELEXT-unaware query for the identical zone will trigger a traditional referral
containing NS RRsets, populating the resolver cache with NS data.

Section 5.2 prohibits caching NS records obtained from DE=1 referrals,
 but the draft provides no clear rules governing NS records retrieved
via DE=0 queries or DELEXT-unaware queries that coexist with cached Delegation
Type RRsets for the same name.

Since most real-world DNS clients may continue to send DE=0 or DELEXT-unaware
query queries long after DELEXT deployment, the specification needs additional
text to define resolver cache handling of NS RRsets.

One Question: Is this Potential DoS vulnerability from no cached NS fallback
under DE=1?

Section 4.1 mandates authoritative servers omit NS RRsets in DE=1 referrals,
and Section 5.2 forbids resolvers from caching NS records associated with DE=1
delegations.

If a DE=1 referral’s Delegation Type data fails to yield usable resolution
endpoints for any reason, the resolver holds no cached NS fallback records for
the zone example.com.
 The DNS clients will try and try again since they can not get the right DNS
 resolution of exaample.com.

 Do they open a denial-of-service attack?