draft-ietf-dnsext-dns-protocol-profile-00
Alfred Hönes <ah@tr-sys.de> Thu, 24 January 2008 18:04 UTC
Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JI6RC-0007sy-AO; Thu, 24 Jan 2008 13:04:30 -0500
Received: from psg.com ([2001:418:1::62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JI6RA-0004hm-AD; Thu, 24 Jan 2008 13:04:30 -0500
Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1JI6IB-00013u-U0 for namedroppers-data@psg.com; Thu, 24 Jan 2008 17:55:11 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-6.3 required=5.0 tests=AWL,BAYES_00,HEADER_SPAM, RDNS_NONE,USER_IN_WHITELIST_TO autolearn=no version=3.2.3
Received: from [66.92.146.160] (helo=ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from <namedroppers@hlid.ogud.com>) id 1JI6I7-00013S-PB for namedroppers@ops.ietf.org; Thu, 24 Jan 2008 17:55:10 +0000
Received: from hlid.ogud.com (localhost [127.0.0.1]) by ogud.com (8.13.1/8.13.1) with ESMTP id m0OHt05A002906 for <namedroppers@ops.ietf.org>; Thu, 24 Jan 2008 12:55:00 -0500 (EST) (envelope-from namedroppers@hlid.ogud.com)
Received: (from namedroppers@localhost) by hlid.ogud.com (8.13.1/8.13.1/Submit) id m0OHt0pi002905 for namedroppers@ops.ietf.org; Thu, 24 Jan 2008 12:55:00 -0500 (EST) (envelope-from namedroppers)
Received: from [213.178.172.147] (helo=WOTAN.TR-Sys.de) by psg.com with esmtp (Exim 4.68 (FreeBSD)) (envelope-from <A.Hoenes@tr-sys.de>) id 1JGuvq-00075c-AV for namedroppers@ops.ietf.org; Mon, 21 Jan 2008 11:35:17 +0000
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3) id AA044655248; Mon, 21 Jan 2008 12:34:08 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id MAA03051; Mon, 21 Jan 2008 12:34:06 +0100 (MEZ)
From: Alfred Hönes <ah@tr-sys.de>
Message-Id: <200801211134.MAA03051@TR-Sys.de>
Subject: draft-ietf-dnsext-dns-protocol-profile-00
To: ggm@apnic.net
Date: Mon, 21 Jan 2008 12:34:06 +0100
Cc: namedroppers@ops.ietf.org
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.63 on 66.92.146.160
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: -0.0 (/)
X-Scan-Signature: ec7c6dab5a62df223002ae71b5179d41
[ Moderators note: Post was moderated, either because it was posted by
a non-subscriber, or because it was over 20K.
With the massive amount of spam, it is easy to miss and therefore
delete relevant posts by non-subscribers.
Please fix your subscription addresses. ]
Hello,
after browsing through the Internet-Draft authored/edited by you,
draft-ietf-dnsext-dns-protocol-profile-00,
I'd like to submit a few comments, supplying some additional
information, addressing textual flaws I found in that memo,
and suggesting a few additional topics that should be addressed.
(1) Section 1.1, 3rd paragraph -- typo
s/the documents normative language/the document's normative language/
^
(2) Section 3
(2a)
Missing full-stops at the end of paragraph 2 & 4.
(Also applicable to some subsequents sections/paragraphs.)
(2b)
The last paragraph od Section 3 says:
{new normative language} Processing if dns names in US-ASCII range
MUST be case insensitive. [RFC 1035 (2.3.3)] also see [RFC 1034
(3.1)]
There are multiple issues:
- s/if/of/
- s/dns/DNS/
- Processing must be done by *label*, not necessarily in a homogenous
manner for an entire DNS name -- e.g., there could be binary labels
in a domain name. Although this is currently not very important
because the original use of binary labels for IPv6 has been
deprecated, there might be other uses or new label types in the
future. Therefore, I suggest to unambiguously state:
| {new normative language} Processing of DNS 'ASCII labels' MUST be
| case insensitive. See [RFC 1035 (2.3.3)], [RFC 1034 (3.1), and
| [RFC4343] (3.1).
Accordingly, a reference '[RFC4343]' to RFC 4343 needs to be added to
Section 12 of the draft.
(3) Section 4.1
(3a) (don't know where to insert)
RFC 2308, section 5 has normatively changed the semantics of the
SOA.MINIMUM TTL field to become the 'Negative Caching TTL'.
Nevertheless, I frequently see zone files giving the old
interpretation of SOA.MINIMUM in a comment, and I fear that
this only is a symptom of outdated thinking, burned into the
brains of DNS implementors as well.
Therefore, I suggest to emphasize this change from STD13
in this roadmap document.
(3b) 4.1.1 -- Re: RFC 2535
RFC 2535 has been formally obsoleted by RFCs 4033..4035
(and as listed in the RFC index), but in fact some parts of
RFC 2535 are not considered obsolete.
This is quite confusing, in particular because there are other
documents equally considered still valid that make normative
references to RFC 2535 -- in particular RFC 2931 ('SIG(0)'),
and RFC 3445 that also has been obsoleted by RFCs 4033..4035,
but contains important updates to RFC 2535 still valid for /
defining the non-obsolete parts of RFC 2535.
There's a real need for a new, standalone specification
containing the non-deprecated parts of RFC 2535, perhaps
integrated with an updated version of RFC 2931, to make
an end to the existing confusion. Such document should
also incorporate (and obsolete) RFC 3445 and delineate
the (diminishing) applicability of the KEY RR, according
to current wisdom.
(3c) 4.1.1 -- item 4.
The draft says:
4. The TTLs of all RRs in an RRSet MUST be the same. {RFC reference
required}
^^^^^^^^
The normative text you are looking for is in RFC 2181, section 5.2.
(4) Section 4.2
The most frequent trouble with DNS I found in the last two years
is the inappropriate firewall filtering of DNS requests.
While it is common practice for (recursive) DNS resolvers to use
port 53 for listening for queries *and* sending queries, there is
no requirement to do so, in any DNS related RFC ever published.
DNS resolvers behind a NAT box with port translation cannot
enforce the source port of the DNS queries they emit, as seen
in the public Internet.
Furthermore, there are a lot of upcoming recommendations for
source port randomization as a partial defense against blind
off-path attacks.
Therefore, filtering DNS queries on source port is a major
obstacle to connectivity, and it does not add anything to the
security of the sites doing so. (BTW: M$ is one particular site
doing so since months, such making it impossible for me to contact
IETFers with email addresses served by these DNS servers, including
hotmail.com!)
I suggest to add a sentence to Section 4.2, pointing out that
the source port for DNS queries is not restricted in any way
by all existing DNS RFCs (for UDP and TCP as well).
(5) Section 4.3 -- Re: OPCODE 1
IQUERY indeed has been *obsoleted* by RFC 3425.
(6) Section 4.6
It should be noted that the use of MB, MG, MR, and MINFO has been
deprecated long ago, in favor of MX.
Definite RFC ref. is 2821, and statement reinforced in upcoming
2821bis (IETF LC passed, currently in final IESG processing).
(7) Section 4.8
Document is unclear as to whether it is intended to cover DNSSEC
in the sense of RFC 4033..4035. (I'd like to recall that DNS
transaction secority has been declared part of basic DNS, no more
part of DNSSEC -- as it was in RFC 2535 ff.)
(8) Section 12.2
In Section 12.2, the citations [RFC1811] and [RFC1816] have been
truncated; in both cases, the document title is "U.S", should be:
"U.S. Government Internet Domain Names".
(9) Appendix A
(9a) RFC 1348
RFC 1348 was first obsoleted by RFC 1637, then by RFC 1706. This
is clearly stated in the heading of RFC 1637 and in the RFC index.
The entry for RFC 1637 already is present in the list in Appendix A,
yet, the entry for RFC 1348 should be amended accordingly.
(9b) RFC 1712
Although RFC 1876 semantically is a replacement for RFC 1712,
it has not formally obsoleted RFC 1712, and the RFC index still
lists both RFCs as current. Even more, RFC 1876 does not mention
RFC 1712 or RRtype 27 at all, and RRtype 27 is not indicated
as deprecated or obsolete in the IANA registry.
It either should be considered to ask for a Protocol Action
by the IESG to retrofit the 'obsoletes' relationship 1712-->1876
and annotate RRtype 27 as obsolete in the IANA registry,
or to omit the entry for RFC 1712 fron Appendix A.
(9c) RFC 2065
In line with other entries, the entry for RFC 2065 should be
amended by ", then by RFC 4033 through 4035".
Best regards,
Alfred Hönes.
--
+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. |
| Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 |
| D-71254 Ditzingen | E-Mail: ah@TR-Sys.de |
+------------------------+--------------------------------------------+
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
- draft-ietf-dnsext-dns-protocol-profile-00 Alfred Hönes