Re: [DNSOP] draft-ietf-dnsop-rfc7816bis: hopefully ready for WG Last Call

Tony Finch <dot@dotat.at> Thu, 22 October 2020 22:12 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB833A0658 for <dnsop@ietfa.amsl.com>; Thu, 22 Oct 2020 15:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lb4Fb0IeAWhE for <dnsop@ietfa.amsl.com>; Thu, 22 Oct 2020 15:12:20 -0700 (PDT)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [131.111.8.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596D73A03F8 for <dnsop@ietf.org>; Thu, 22 Oct 2020 15:12:20 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:35830) by ppsw-42.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kVioj-000crs-8j (Exim 4.92.3) (return-path <dot@dotat.at>); Thu, 22 Oct 2020 23:12:17 +0100
Date: Thu, 22 Oct 2020 23:12:17 +0100
From: Tony Finch <dot@dotat.at>
To: Ralph Dolmans <ralph@nlnetlabs.nl>
cc: dnsop@ietf.org
In-Reply-To: <e81e62a5-747a-201d-0892-f498ef89e7a0@nlnetlabs.nl>
Message-ID: <alpine.DEB.2.20.2010222307480.4712@grey.csi.cam.ac.uk>
References: <C0C343BA-D0A6-46A0-90C8-053793BC5F40@icann.org> <alpine.DEB.2.20.2010141752020.8465@grey.csi.cam.ac.uk> <e81e62a5-747a-201d-0892-f498ef89e7a0@nlnetlabs.nl>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Q-QKUpsOtf6dOQhxEd7ZU9h4kJs>
Subject: Re: [DNSOP] draft-ietf-dnsop-rfc7816bis: hopefully ready for WG Last Call
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2020 22:12:22 -0000

Ralph Dolmans <ralph@nlnetlabs.nl> wrote:
>
> Thanks for your feedback, appreciated!

Thanks for the response!

I thought of another thing:

Some of the points in section 5 (on limiting the number of queries and the
performance downsides) should be discussed in section 7 (security
considerations). In particular QNAME minimization can amplify query volume
so it can be abused to make random subdomain attacks worse, though that
can be mitigated by RFC 8020 NXDOMAIN.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
the quest for freedom and justice can never end