Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

[Paul Hoffman <paul.hoffman@vpnc.org>]

On May 9, 2015, at 6:07 AM, Warren Kumari <warren@kumari.net> wrote:
>> In Section 2, there should be a new paragraph after the first paragraph that describes why the "reasonable attempt" in the first paragraph is needed to determine whether the attacker has partial control of the zone, or is just mounting an on-path attack between all the nameservers and the recursive.
> 
> 
> DONE?
> "It is important to confirm that the comains is still under the
> ownership / control of the legitimate owner of the domain - this is to
> ensure that disabling validation for a specific domain does not direct
> users to an address under an attackers control. Contacting the domain
> owner allows the resolver operator to determine if the issue is a
> DNSSEC misconfiguration or an attack."
> 
> I'm not really sure if this addresses your concerns? If not, do you
> happen to have any suggested text?

Using your, expanding just a bit:

"It is important for the resolver operator to confirm that the domain is still under the
ownership / control of the legitimate owner of the domain in order to
ensure that disabling validation for a specific domain does not direct
users to an address under an attacker's control. Contacting the domain
owner and telling them the DNSSEC records that the resolver operator is seeing
allows the resolver operator to determine if the issue is a
DNSSEC misconfiguration or an attack."

> 
> 
>> 
>> In Section 2, it talks about "a popular domain name" but don't say how to determine that. Giving examples of sources of that data would be valuable.
> 
> DONE.
> I added: "An example of a list of "top N" websites is the <xref
> target="Alexa">"Alexa Top 500 Sites on the Web" </xref>"
> 
> Is this OK?

That's OK, but I would prefer to add in what Scott Rose suggested: ", or a list of the of the most-accessed names in the resolver's cache".

--Paul Hoffman