[secdir] Secdir last call review of draft-ietf-dnsop-zoneversion-06

Shawn Emery via Datatracker <noreply@ietf.org> Thu, 06 June 2024 06:55 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA02C1D4CF2; Wed, 5 Jun 2024 23:55:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Shawn Emery via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.14.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <171765694296.11836.1686812500783472443@ietfa.amsl.com>
Date: Wed, 05 Jun 2024 23:55:42 -0700
Message-ID-Hash: 5NXDJB7EOXTX3IKAPEZYIDSOLOZJLRHE
X-Message-ID-Hash: 5NXDJB7EOXTX3IKAPEZYIDSOLOZJLRHE
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, draft-ietf-dnsop-zoneversion.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Shawn Emery <shawn.emery@gmail.com>
Subject: [secdir] Secdir last call review of draft-ietf-dnsop-zoneversion-06
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5CcCfrDwrmQOqmoWw3-uddYTB40>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Reviewer: Shawn Emery
Review result: Has Nits

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This draft specifies an extension in DNS for providing zone version information
for the associated query name.  This data allows callers to better correlate
the queried name to a zone version that it belongs, in order to better diagnose
synchronicity issues.

The security considerations section does exist and describes that this EDNS
extension does not protect against an active attacker and therefore should only
be used for diagnostic purposes only.  The section continues, if zone version
information is to protected against an active attacker then the user should use
TSIG (RFC 8945) or SIG(0) (RFC 2931) to authenticate and provide integrity
protection.  In addition, there are no new privacy issues introduced by the new
extension given that version information is already provided publicly.  I agree
with the aforementioned assertions.

General Comments:

What's an unsigned decimal integer vs. unsigned integer?

Editorials Comments:

s/and and/and/
s/correspond do/correspond to the/