[dnsext] [reed@reedmedia.net: comments on draft-weiler-dnsext-dnssec-bis-updates 18]

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 07 May 2012 17:53 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E1021F8639 for <dnsext@ietfa.amsl.com>; Mon, 7 May 2012 10:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.626
X-Spam-Level:
X-Spam-Status: No, score=-2.626 tagged_above=-999 required=5 tests=[AWL=-0.027, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7spU5-Cr0fC for <dnsext@ietfa.amsl.com>; Mon, 7 May 2012 10:53:21 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id C5E5621F8638 for <dnsext@ietf.org>; Mon, 7 May 2012 10:53:21 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 188EF1ECB41D for <dnsext@ietf.org>; Mon, 7 May 2012 17:53:21 +0000 (UTC)
Date: Mon, 07 May 2012 13:53:18 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsext@ietf.org
Message-ID: <20120507175312.GL8963@mail.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dnsext] [reed@reedmedia.net: comments on draft-weiler-dnsext-dnssec-bis-updates 18]
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2012 17:53:24 -0000

Forwarded as suggested.  I think the draft name is misspelled.

A

----- Forwarded message from "Jeremy C. Reed" <reed@reedmedia.net> -----

Date: Mon, 7 May 2012 11:21:20 -0500 (CDT)
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: ajs@anvilwalrusden.com
Subject: comments on draft-weiler-dnsext-dnssec-bis-updates 18

The following are my comments on 
draft-weiler-dnsext-dnssec-bis-updates-18.  You may forward my comments 
or reply on list as desired.


4.3.  Check for CNAME

   Section 5 of [RFC4035] says little about validating responses based
   on (or that should be based on) CNAMEs. 

* The wording above is confusing or misleading. RFC 4035 Section 5 says 
nothing about CNAME specifically.


5.3.  Private Algorithms

...

   In the remaining cases, the security status of the zone depends on
   whether or not the resolver supports any of the private algorithms in
   use (provided that these DS records use supported hash functions, as
   discussed in Section 5.2).

* This may be confusing since the draft's section 5.2 matches up with 
numbering of RFC 4035's Section 5.2 and the draft's 5.2 does not use the 
terminology "hash functions".


5.6.  Setting the DO Bit on Replies

* Mention is is Section 3.


5.7.  Setting the AD Bit on Queries

The use of the AD bit in the query was previously undefined.

* It was defined for queries. See RFC 4035 4.6: ``A security-aware 
resolver MUST clear the AD bit when composing query messages to protect 
against buggy name servers that blindly copy header bits that they do 
not understand from the query message to the response message.''


6.1.  Finding Zone Cuts

* What are the "special rules" and "special processing rules"?  The 
wording is unclear if these are the rules defined in RFC 4035 3.1.4.1 or 
if they are new special rules.  In other words, what is the minor 
correction or clarification here?


Appendix B.  Discussion of Setting the CD Bit

* Maybe mention "(server failure)" in first mention of RCODE=2.


* Also be consistent with referring to RFC numbers, maybe always use 
brackets around them every time.




----- End forwarded message -----

-- 
Andrew Sullivan
ajs@anvilwalrusden.com