Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

["Rose, Scott W." <scott.rose@nist.gov>]

I think the draft is just about ready for publication as well.

On May 5, 2015, at 5:53 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> This document has progressed very well and is nearly ready for publication.
> 
> Related to an earlier thread about intended status: "Informational" is most appropriate here because the document is all about proposed operations but no "best current practice". There is no problem with WGs producing Informational RFCs, and Informational RFCs can have RFC 2119 language.
> 
> In Section 2, there should be a new paragraph after the first paragraph that describes why the "reasonable attempt" in the first paragraph is needed to determine whether the attacker has partial control of the zone, or is just mounting an on-path attack between all the nameservers and the recursive.
> 
> In Section 2, it talks about "a popular domain name" but don't say how to determine that. Giving examples of sources of that data would be valuable.
> 
I would recommend local query logs, naturally.  


> 
> In Section 7.1, the second paragraph is *not* a security consideration, it is a proposal for how NTAs should be implemented. Please make this its own section earlier in the document, possibly called "Altering Users of NTA Use".
> 
There is a security consideration there, reading between the lines - in that this is broadcasting a spoofable name to the world.  However, a "Altering User's" section would be a good addition to include text about apps that may break if it is known they demand to see the AD bit set in responses.

Scott



===================================
Scott Rose
NIST
scott.rose@nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671
http://www.dnsops.gov/
https://www.had-pilot.com/
===================================