IETF Logo Mail Archive

[DNSOP] Comments on draft-rssac-dnsop-rfc2870bis-04.txt

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 06 February 2012 20:49 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4F121F8755 for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2012 12:49:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYRrjwIwoCC2 for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2012 12:49:26 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 8948A21F873D for <dnsop@ietf.org>; Mon, 6 Feb 2012 12:49:26 -0800 (PST)
Received: from [192.168.11.124] ([12.239.109.3]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q16Kn34i038181 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 6 Feb 2012 13:49:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20120206191256.GA14871@vacation.karoshi.com.>
Date: Mon, 06 Feb 2012 15:49:03 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <1F781ED0-0198-4771-9ECA-D5785850C8CD@vpnc.org>
References: <20120206191256.GA14871@vacation.karoshi.com.>
To: bmanning@vacation.karoshi.com
X-Mailer: Apple Mail (2.1251.1)
Cc: rssac@icann.org, dnsop@ietf.org
Subject: [DNSOP] Comments on draft-rssac-dnsop-rfc2870bis-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2012 20:49:28 -0000

Greetings again. This looks much better than the -00, but still needs more effort.

The language in the text is still very rough (larger than "nits", not quite as bad as "confusing"). I believe that the amount of copy editing done by the RFC Editor depends on the stream through which you submit the document. If anyone in the root server operator community can spare <5 hours of an in-house copy editor, you should strongly consider it before turning the document in; otherwise, the AUTH48 comments will either be extensive enough to make finding newly-introduced mistakes difficult, or too few so as to make the document seem unprofessional (particularly when compared to RFC 2870).

The paragraph at the end of section 1 (the "isn't really 2119 language" text) is quite cute and will cause you a world of pain and delay. You have de-capped everything, so remove the paragraph. (Unless you're just trying to make John Klensin even grumpier, which is also quite cute but will also cause you a world of pain and delay).

The intro to section 3 says:
   The servers need both physical and protocol security as well as
   unambiguous authentication of their responses. Physical security focuses
   on the machines and their locations, Protocol security and response 
   authentication are covered by Internet Protocol standards.
However, there are three subsections, the middle being "network security". Further, much of the protocol security is covered by by transport layer security, not IP security. Proposed new wording:
   The servers need to be protected by physical and protocol security for
   their administration and communications. They also need to be protected
   by network security to reduce their vulnerability to attack. Physical
   security focuses on the machines and their locations, network security
   focuses on the way that the root servers are connected to the Internet,
   and protocol security focuses on administrative communication with the
   servers as well as integrity protection for the messages from the
   servers to the public.

The text in 3.2.5 doesn't make sense. NTP can't be on the list if the operator is expected to get time updates "in as secure manner as possible". A proposed rewording would be to just remove that phrase because you describe what operationally is needed to use NTP in a non-crypto secure manner.

Security Considerations are supposed to be just before references, so things are going to be reordered and renumbered by the RFC Editor unless you do it yourself sooner. Given the fact that you use sectional cross-references, doing this yourself is probably better than waiting for the RFC Editor to do it for you.

Using numbers for reference instead of something useful is allowed and makes it hard to understand the document. Consider making the references more useful. For example, references 8, 9, and 10 are (soonesqe) going to be expanded to also include draft-ietf-dnsext-dnssec-bis and RFC 5011; this would be clearer if it was clear what you were referring to.

For the author reference, consider adding the URL <http://www.root-servers.org/>, given that mail to the address listed will often be automatically lost. (Bonus points for updating that page to eliminate the decade-old presentations and just leave the news!)

--Paul Hoffman

v2.23.0 | Report a Bug | By Email