[DNSOP] Éric Vyncke's No Objection on draft-ietf-dnsop-no-response-issue-20: (with COMMENT)

Éric Vyncke via Datatracker <noreply@ietf.org> Wed, 08 April 2020 14:16 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Éric Vyncke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-no-response-issue@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, tjw.ietf@gmail.com
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Éric Vyncke <evyncke@cisco.com>
Message-ID: <158635541503.17090.16242357885883562267@ietfa.amsl.com>
Date: Wed, 08 Apr 2020 07:16:55 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BQwfAlTgqQf0X7HCFWE0ashFApU>
Subject: [DNSOP] Éric Vyncke's No Objection on draft-ietf-dnsop-no-response-issue-20: (with COMMENT)

Éric Vyncke has entered the following ballot position for
draft-ietf-dnsop-no-response-issue-20: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you for the work put into this document. I also like the extensive test
scenarios with 'dig' ;-)

To be honest, I was about to ballot a DISCUSS as I have some doubts whether the
objective of removing non-compliant servers (end of section 2) is achievable...
Too many non-compliant servers, probably managed by clueless people. But, hey,
we can always try!

I also wonder why this document is a generic BCP while section 8 and other
parts seem to indicate more like a testing of servers. Balloting NO OBJECTION
but also long hesitation for a DISCUSS.

Please address the nits found by Carlos during the INTDIR review:
https://mailarchive.ietf.org/arch/msg/int-dir/wfKo4vDmFJwPa1HeDY9wxP2JdEA (at
least one nit is already addressed, thank you)

Please find below some non-blocking COMMENTs and NITs. An answer will be
appreciated.

I hope that this helps to improve the document,

Regards,

-éric

== COMMENTS ==
Generic: the objective of this document is a little unclear to me, is it to do
compliance testing/certification specific DNS server software ? or to actual
DNS servers on the Internet.

-- Section 1 --
Suggest to also add middle-box dropping EDNS in the sentence "Due to the
inability to distinguish between packet loss and nameservers dropping EDNS"
(see section 4).

-- Section 4 --
Why limiting the middle boxes to only firewalls and load balancers? There are
many different types of middle-box (NAT, ...) also doing "packet massaging" on
the fly... :-(

-- Section 10 --
The security considerations is rather weak...

If the intent is to probe Internet servers, then why not adding some text
around 'do it only with prior agreement of the DNS servers operator' ?

Also, if the firewall is "protecting" the DNS server (cough cough), then as a
security officer I would prefer to block all unknown opcodes/types at the
firewall (possibly with a reply).

== NITS ==

-- section 2 --
Please add an expansion or a reference to "AD flag bit". (and in my non-native
English speaker, it is a pleonasm).

[DNSOP] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
Re: [DNSOP] Éric Vyncke's No Objection on draft-i… Ray Bellis
Re: [DNSOP] Éric Vyncke's No Objection on draft-i… Mark Andrews
Re: [DNSOP] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)