Re: [dns-privacy] Genart last call review of draft-ietf-dprive-xfr-over-tls-09

Sara Dickinson <sara@sinodun.com> Tue, 20 April 2021 08:51 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC38D3A18BD; Tue, 20 Apr 2021 01:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUm_0JZaqGtA; Tue, 20 Apr 2021 01:51:44 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BA0E3A199F; Tue, 20 Apr 2021 01:51:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=fcgTlAa93HPG4725WmugYDEUKGLGTZxwLMLqYbf8rMc=; b=LjNF8zAjXXKzSNBN5evZabeiRL GxH6v4WPJkgXeYha0TtiF/2bUVnz0sugBhPjEfzmcfr+hkSRHZQxA/qOOOTM8agfw41psn/xdJwyc dD5QTMJIZaYanhKbtTtze0EAyHF+MI8Gsw/TC8S1ctOtj3YVTu+QuyRm4hVoJl3rvGxaTUQIfD7NH O1LxBWW7cJlzXc23T9ecNMZcQTT5y8KgPi+RtulwFzUHrgpl53UMK4H2+vUTXMeuuQb0q6kUh/0oP vsMlopORrgXSeoZduDSK+PAcB8JIUM/J5+xwoPnTDmIAqHv34Tvhe7YUQ31I7kF0aXIC0WJO6J9X8 yfxSmS1A==;
Received: from [62.232.251.194] (port=24028 helo=[172.27.240.5]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1lYm6D-00022J-Qr; Tue, 20 Apr 2021 09:51:18 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <79092CDB-33DC-472D-B597-1CA22E4D4342@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C83B1796-956D-4BE9-AAC0-D8D6A871298C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Tue, 20 Apr 2021 09:51:03 +0100
In-Reply-To: <161865263565.11494.11842811379172646764@ietfa.amsl.com>
Cc: General Area Review Team <gen-art@ietf.org>, DNS Privacy Working Group <dns-privacy@ietf.org>, draft-ietf-dprive-xfr-over-tls.all@ietf.org, last-call@ietf.org
To: Dan Romascanu <dromasca@gmail.com>
References: <161865263565.11494.11842811379172646764@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-BlackCat-Spam-Score: 14
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/dRMme1LHRo3YVnWY6e-VtdMtqpU>
Subject: Re: [dns-privacy] Genart last call review of draft-ietf-dprive-xfr-over-tls-09
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 08:51:50 -0000


> On 17 Apr 2021, at 10:43, Dan Romascanu via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Dan Romascanu
> Review result: Ready with Nits
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
> 
> Document: draft-ietf-dprive-xfr-over-tls-09
> Reviewer: Dan Romascanu
> Review Date: 2021-04-17
> IETF LC End Date: 2021-04-20
> IESG Telechat date: Not scheduled for a telechat
> 
> Summary:
> 
> Ready with nits.
> 
> This document specifies XFR-over-TLS (XoT) i.e. the use of TLS, rather than
> clear text, to prevent zone content collection via passive monitoring of DNS
> zone transfers. This is a very clear and well-written document. I had to do
> further reading to understand some of the specified or referred concepts and
> mechanisms, but after doing it all aligned nicely. I especially appreciate the
> inclusion and level of detail of Section 7 which explains the updates to the
> existing specifications, including the RFCs updated by this document and
> clarifies the issues of backwards compatibility. There are a few nits that I
> suggest to address before publication.

Hi Dan, 

Many thanks for the review.

> 
> Major issues:
> 
> Minor issues:
> 
> Nits/editorial comments:
> 
> 1. In Section 3:
> 
>> XoT: Generic XFR-over-TLS mechanisms as specified in this document
> 
> What does 'Generic' mean here? Are there also non-generic / specific mechanisms
> similar to XoT that should be referenced? If not, consider dropping ‘Generic'

It was intended to mean that the term applied to both IXFR and AXFR-over-TLS… I propose updating the text to the following:

“XoT: XFR-over-TLS mechanisms as specified in this document which apply to both AXFR-over-TLS and IXFR-over-TLS"

> 
> 2. In Section 5 there are two Design Considerations labelled both Performance.
> Is this the intent? If yes, maybe they should be grouped together. If not maybe
> at least one of the name may be changed.

Good point - they are now grouped them together.

> 
> 3. Should not the fact that implementations MUST use TLS 1.3 or higher, which
> is specified in Section 8.1, be also mentioned in the Introduction?

Yes - the last paragraph is now update to add that.

> 
> 4. Section 9 uses in one instance the term 'multi-master'. Can an alternative
> term be considered, taking into account the work summarized in I-Ds such as
> https://datatracker.ietf.org/doc/draft-knodel-terminology/? <https://datatracker.ietf.org/doc/draft-knodel-terminology/?>

Thanks for spotting this. I suggest simply removing that text as I think term multi-primary in the title should be enough given our terminology section. 

> 
> 5. I assume that Section 20 - Changelog will be removed before publication

I’ve added text to request this, just to make sure.


I’ve published a -10 version the draft including these changes which I hope addresses your issues?

Regards

Sara.