IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 05 May 2015 21:53 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0EE61A6FE9 for <dnsop@ietfa.amsl.com>; Tue, 5 May 2015 14:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StCw-_Yhweux for <dnsop@ietfa.amsl.com>; Tue, 5 May 2015 14:53:43 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5B5B1A6F33 for <dnsop@ietf.org>; Tue, 5 May 2015 14:53:42 -0700 (PDT)
Received: from [10.20.30.101] (50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t45Lrf0g052507 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 5 May 2015 14:53:42 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-98-218.dsl.dynamic.fusionbroadband.com [50.1.98.218] claimed to be [10.20.30.101]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <553EBF02.3050703@gmail.com>
Date: Tue, 05 May 2015 14:53:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <793F7CBB-198C-438D-9AD3-F1414E6011F3@vpnc.org>
References: <553EBF02.3050703@gmail.com>
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/z9rk7FPvPh4VyVxQb5D0boofrFM>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2015 21:53:43 -0000

This document has progressed very well and is nearly ready for publication.

Related to an earlier thread about intended status: "Informational" is most appropriate here because the document is all about proposed operations but no "best current practice". There is no problem with WGs producing Informational RFCs, and Informational RFCs can have RFC 2119 language.

In Section 2, there should be a new paragraph after the first paragraph that describes why the "reasonable attempt" in the first paragraph is needed to determine whether the attacker has partial control of the zone, or is just mounting an on-path attack between all the nameservers and the recursive.

In Section 2, it talks about "a popular domain name" but don't say how to determine that. Giving examples of sources of that data would be valuable.

Section 5 is one paragraph too short. It says what other misconfigurations should not be fixed by recursive resolver operators, but it does not say why likely DNSSEC validation errors should be. The (missing) second paragraph should say something to the effect of "with DNSSEC breakage, it is often possible to tell that there is a misconfiguration by looking at the data and not needing to guess what it should have been".

In Section 6, add a second sentence to the second paragraph: "Such additions are prevented by the requirement that the operator attempt to contact the administrators for the zone that has broken DNSSEC."

In Section 7.1, the second paragraph is *not* a security consideration, it is a proposal for how NTAs should be implemented. Please make this its own section earlier in the document, possibly called "Altering Users of NTA Use".

There is no stated reason for Appendix B to be an appendix. It is just as important as other sections in the main body of the text, and should be moved there.

References to other documents are done inconsistently. For example, there is both "from RFC4033 [RFC4033]" and "in [RFC5914]".

--Paul Hoffman

v2.23.0 | Report a Bug | By Email