IETF Logo Mail Archive

[IPsec] Shepherd Review of draft-ietf-ipsecme-split-dns-06

"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Tue, 27 February 2018 00:52 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E27012D967; Mon, 26 Feb 2018 16:52:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KrGKCPG3SOfY; Mon, 26 Feb 2018 16:52:03 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0094.outbound.protection.outlook.com [23.103.201.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1BEC124BAC; Mon, 26 Feb 2018 16:51:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=J6itl2WGa2/qS0GqLefVoBl06S1oOMdI14GToH4nmro=; b=JtAQIgu4hjCFaH9CwR4ieDx5nKMib9BPaYxsTBmXd2YZBZTiWCLlrn+TeXtbMcUKXAFX1EwTDU33lhxJL5ogno/LAYWQsNJM3ZguddAr5R4GzYa62zv+o3gKyS6sDf58HPhHUBLNbl643IN+6/itIMAgntC9kAx43s1VTvLEtJ0=
Received: from BL0PR0901MB2306.namprd09.prod.outlook.com (52.132.18.148) by BL0PR0901MB2308.namprd09.prod.outlook.com (52.132.18.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.527.15; Tue, 27 Feb 2018 00:51:57 +0000
Received: from BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::9aa:3aa4:170a:7073]) by BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::9aa:3aa4:170a:7073%13]) with mapi id 15.20.0527.021; Tue, 27 Feb 2018 00:51:57 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: "draft-ietf-ipsecme-split-dns.authors@ietf.org" <draft-ietf-ipsecme-split-dns.authors@ietf.org>, IPsecME WG <ipsec@ietf.org>
Thread-Topic: Shepherd Review of draft-ietf-ipsecme-split-dns-06
Thread-Index: AdOvZInWFoVQAJXuTMqN+ApYo9CCsQ==
Date: Tue, 27 Feb 2018 00:51:57 +0000
Message-ID: <BL0PR0901MB230641977B203EE5297B9DF0F0C00@BL0PR0901MB2306.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.224.58]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BL0PR0901MB2308; 7:GEtkVYST9mVlAKCMMWR11X13Jz0Fz+dzL/RqjMnBlPdTX7kwUefTyBWWtg8/CrbPjoFXOz7C+IoxlIrCwWhcoeqABK0mVkyLfmwQtHpwte5H3s/kPwWUme4HokuzVaLbF32iV8t8KhoqFiIvS8jhX18Xt47vyxfA76GTc4/cZl86WKOcVU2mS7jjcbUPlYJKCQkCSLi3sC2nCVDKjpQo/+1wtegp0N3sMRmYzPCV32j75bQxk3L7GP92lqMgZINJ
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c9ddf51b-1b43-4d7e-3af0-08d57d7c4de4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:BL0PR0901MB2308;
x-ms-traffictypediagnostic: BL0PR0901MB2308:
x-microsoft-antispam-prvs: <BL0PR0901MB2308D5B9ABADE5652677BC1EF0C00@BL0PR0901MB2308.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231220)(944501161)(52105095)(3002001)(6055026)(6041288)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:BL0PR0901MB2308; BCL:0; PCL:0; RULEID:; SRVR:BL0PR0901MB2308;
x-forefront-prvs: 05961EBAFC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(39380400002)(376002)(366004)(189003)(199004)(110136005)(59450400001)(86362001)(68736007)(97736004)(3280700002)(53936002)(74316002)(450100002)(305945005)(33656002)(8936002)(66066001)(8676002)(81156014)(81166006)(5660300001)(99286004)(6116002)(2900100001)(3660700001)(3846002)(7736002)(25786009)(7696005)(478600001)(26005)(5250100002)(186003)(2501003)(2906002)(6346003)(14454004)(106356001)(102836004)(55016002)(105586002)(9686003)(6506007)(316002)(6436002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR0901MB2308; H:BL0PR0901MB2306.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-microsoft-antispam-message-info: SOV4XfBoWLqaUfbif6D688vKZ8tVGNKlWciT40P7jcMmyZ69zo4PFn7PPMfGlr8lPBQ2R9HqrJ45eyQA7wNS3jNxIl1iBPnH+jXyTXUdJqYbdCXRZc/6fN+PHcRij1MnM1p2Min3rSMIKmNiRU5a8sL9fVWxX1Me56WmaIZvNhw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-Network-Message-Id: c9ddf51b-1b43-4d7e-3af0-08d57d7c4de4
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2018 00:51:57.8075 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR0901MB2308
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/1zH15XGUIinbV7tQ08OGSK8hWlE>
Subject: [IPsec] Shepherd Review of draft-ietf-ipsecme-split-dns-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 00:52:05 -0000

Authors,

Overall the draft is almost ready to submit to the IESG once the following few small issues are resolved. 

Section 1.1:

There are a few lowercase instances of must, may, and should in the document. You should use text from RFC8174 to indicate that lowercase versions of the keywords are not normative.

Something like the following would work:

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Please double check the lowercase "must", "should", and "may" instances to be sure they are properly non-capitalized.

In section 3.1 the document states:

If an INTERNAL_DNSSEC_TA attriute is included
   in the CFG_REQUEST, the initiator SHOULD also include one or more
   INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST.

The behavior for the responder is not defined in section 3.2 if this "SHOULD" is violated. Would it be desireable for the responder to ignore the INTERNAL_DNSSEC_TA attribute? This behavior should be defined either way.

(nit) s/attriute/attribute/ (I think Tero already found this and we are waiting to handle this in AD review/IETF LC.)

Section 3.4.2:

(nit) s/attributes/attributes/

(nit) s/received in the CFG_REPLY/received in the CFG_REPLY./

"In this example, the initiator has no existing DNSSEC trust anchors would the requested domain." Should this be 'for the requested domain "example.com."'? The following sentence should start with a capitalized letter. The paragraph should end with a period.

How about the following as a replacement:

In this example, the initiator has no existing DNSSEC trust anchors
   for the requested domain "example.com". The responder provides DNSSEC
   trust anchors for the "example.com" domain, but does not configure trust anchors for the "city.other.com" domain.

Section 5:

The first sentence of the 6th paragraph contains a lowercase "must", which I believe should be capitalized.

(nit) s/be be/be/

Once this is all fixed I will send the draft to the IESG. I'll complete the writeup using your text as a starting point in the interim.

Regards,
Dave

v2.23.0 | Report a Bug | By Email