Re: [dns-privacy] Genart last call review of draft-ietf-dprive-xfr-over-tls-09

Sara Dickinson <> Tue, 20 April 2021 08:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DC38D3A18BD; Tue, 20 Apr 2021 01:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aUm_0JZaqGtA; Tue, 20 Apr 2021 01:51:44 -0700 (PDT)
Received: from ( [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9BA0E3A199F; Tue, 20 Apr 2021 01:51:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=fcgTlAa93HPG4725WmugYDEUKGLGTZxwLMLqYbf8rMc=; b=LjNF8zAjXXKzSNBN5evZabeiRL GxH6v4WPJkgXeYha0TtiF/2bUVnz0sugBhPjEfzmcfr+hkSRHZQxA/qOOOTM8agfw41psn/xdJwyc dD5QTMJIZaYanhKbtTtze0EAyHF+MI8Gsw/TC8S1ctOtj3YVTu+QuyRm4hVoJl3rvGxaTUQIfD7NH O1LxBWW7cJlzXc23T9ecNMZcQTT5y8KgPi+RtulwFzUHrgpl53UMK4H2+vUTXMeuuQb0q6kUh/0oP vsMlopORrgXSeoZduDSK+PAcB8JIUM/J5+xwoPnTDmIAqHv34Tvhe7YUQ31I7kF0aXIC0WJO6J9X8 yfxSmS1A==;
Received: from [] (port=24028 helo=[]) by with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <>) id 1lYm6D-00022J-Qr; Tue, 20 Apr 2021 09:51:18 +0100
From: Sara Dickinson <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C83B1796-956D-4BE9-AAC0-D8D6A871298C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Tue, 20 Apr 2021 09:51:03 +0100
In-Reply-To: <>
Cc: General Area Review Team <>, DNS Privacy Working Group <>,,
To: Dan Romascanu <>
References: <>
X-Mailer: Apple Mail (2.3445.104.17)
X-BlackCat-Spam-Score: 14
Archived-At: <>
Subject: Re: [dns-privacy] Genart last call review of draft-ietf-dprive-xfr-over-tls-09
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Apr 2021 08:51:50 -0000

> On 17 Apr 2021, at 10:43, Dan Romascanu via Datatracker <> wrote:
> Reviewer: Dan Romascanu
> Review result: Ready with Nits
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> For more information, please see the FAQ at
> <>.
> Document: draft-ietf-dprive-xfr-over-tls-09
> Reviewer: Dan Romascanu
> Review Date: 2021-04-17
> IETF LC End Date: 2021-04-20
> IESG Telechat date: Not scheduled for a telechat
> Summary:
> Ready with nits.
> This document specifies XFR-over-TLS (XoT) i.e. the use of TLS, rather than
> clear text, to prevent zone content collection via passive monitoring of DNS
> zone transfers. This is a very clear and well-written document. I had to do
> further reading to understand some of the specified or referred concepts and
> mechanisms, but after doing it all aligned nicely. I especially appreciate the
> inclusion and level of detail of Section 7 which explains the updates to the
> existing specifications, including the RFCs updated by this document and
> clarifies the issues of backwards compatibility. There are a few nits that I
> suggest to address before publication.

Hi Dan, 

Many thanks for the review.

> Major issues:
> Minor issues:
> Nits/editorial comments:
> 1. In Section 3:
>> XoT: Generic XFR-over-TLS mechanisms as specified in this document
> What does 'Generic' mean here? Are there also non-generic / specific mechanisms
> similar to XoT that should be referenced? If not, consider dropping ‘Generic'

It was intended to mean that the term applied to both IXFR and AXFR-over-TLS… I propose updating the text to the following:

“XoT: XFR-over-TLS mechanisms as specified in this document which apply to both AXFR-over-TLS and IXFR-over-TLS"

> 2. In Section 5 there are two Design Considerations labelled both Performance.
> Is this the intent? If yes, maybe they should be grouped together. If not maybe
> at least one of the name may be changed.

Good point - they are now grouped them together.

> 3. Should not the fact that implementations MUST use TLS 1.3 or higher, which
> is specified in Section 8.1, be also mentioned in the Introduction?

Yes - the last paragraph is now update to add that.

> 4. Section 9 uses in one instance the term 'multi-master'. Can an alternative
> term be considered, taking into account the work summarized in I-Ds such as
> <>

Thanks for spotting this. I suggest simply removing that text as I think term multi-primary in the title should be enough given our terminology section. 

> 5. I assume that Section 20 - Changelog will be removed before publication

I’ve added text to request this, just to make sure.

I’ve published a -10 version the draft including these changes which I hope addresses your issues?