Re: [secdir] secdir review of draft-ietf-dnsext-axfr-clarify-13
Chris Lonvick <clonvick@cisco.com> Tue, 02 March 2010 15:06 UTC
Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB1353A8AF4; Tue, 2 Mar 2010 07:06:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.449
X-Spam-Level:
X-Spam-Status: No, score=-10.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ncaqaLofmxOJ; Tue, 2 Mar 2010 07:06:57 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 0044D3A8ABD; Tue, 2 Mar 2010 07:06:56 -0800 (PST)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAJ+4jEurRN+J/2dsb2JhbACbBXOmcphShHsEgxc
X-IronPort-AV: E=Sophos;i="4.49,567,1262563200"; d="scan'208";a="94617120"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-4.cisco.com with ESMTP; 02 Mar 2010 15:06:58 +0000
Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o22F6v1M014172; Tue, 2 Mar 2010 15:06:57 GMT
Date: Tue, 02 Mar 2010 07:06:57 -0800
From: Chris Lonvick <clonvick@cisco.com>
To: Alfred Hönes <ah@TR-Sys.de>
In-Reply-To: <201003021445.PAA16394@TR-Sys.de>
Message-ID: <Pine.GSO.4.63.1003020656130.7331@sjc-cde-011.cisco.com>
References: <201003021445.PAA16394@TR-Sys.de>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-341603450-1267542417=:7331"
Cc: draft-ietf-dnsext-axfr-clarify.all@gamay.tools.IETF.ORG, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-dnsext-axfr-clarify-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 15:06:58 -0000
Hi Alfred, On Tue, 2 Mar 2010, Alfred HÎnes wrote: > Chris, > thanks for your detailed review. See detailed responses inline. > >> Hi, >> >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> >> Overall, I found no problems with the document. It is well written and >> very explanatory. The following notes and suggestions are editorial. > > Thanks for this former judgement in particular. > It deemed specifically important for a topic that some years ago > had caused controversies to be as clear and logically consistent > as possible and to explain therein the reasons to write that > document -- the very cursory text in STD 13 that essentially had > laid the grounds for diverging exegesis. > >> >> It would be nice to reference the security considerations of RFCs 1034 >> and 1035 just to say that this specification doesn't add any new >> considerations, however those documents don't have any security >> considerations sections. Would the authors then consider something >> like the following (which would be the first paragraph in Section 8): > >> This document is a clarification of a mechanism outlined in RFCs 1034 >> and 1035 and as such does not add any new security considerations. >> The security considerations relevent to the deployment of this >> specification are noted in RFC 4033. > > Unless someone opposes, such text can be added, sure. > But in that case, wouldn't RFC 3833 be a better choice than RFC 4033? > RFC 4033 indeed contains considerations that go beyond DNSSEC, but > the more generic security considerations for the DNS in general are > in RFC 3833. I suggest to add the following text: > > | This document is a clarification of a mechanism outlined in RFCs 1034 > | and 1035 and as such does not add any new security considerations. > | RFC 3833 [RFC3833] is devoted entirely to security considerations for > | the DNS; its Section 4.3 delineates zone transfer security aspects > | from the security threats addressed by DNSSEC. > > [ + add an entry [RFC3833] to Section 12.2 (Informative References). ] > > Does that make sense to you? That does address my concern very well. (Not being familiar with the DNSSEC RFCs I chose 4033 from your list of references as it was close enough from my quick scans. :) > > >> In my first reading of the document, I was unfamiliar with the term >> "mbz". I'd suggest expanding the acronym in one place. > > The first appearance of "mbz" is in Section 2.1.1, enclosed in (single) > quotes, and tagged with "-- see Note c)", where Note c) (at the bottom > of page 9) contains the explanation: > > c) 'mbz' -- The client MUST set this bit to 0, the server MUST ignore > it. > > 'mbz' is used more as a user-friendly symbol -- at first glance similar > to "MUST be 0", but actually quite different -- for the classification > of fields than a literal acronym (and hence also written on lowercase), > and the common expansion "must be zero" deliberately has been omitted > because of anecdotal evidence that implementors have understood that as > an encouragement, or even requirement, to check for value 0 on receipt, > which is contrary to what we want. Ahh, now I see; that is your definition. OK, I was looking for an acronym expansion. I'm not going to object if you leave it as is. > > Note: Similar considerations apply to 'n/a' ( same section, Note b) ). Yup, but that one I could figure out without a definition. :-) Best regards, Chris
- [secdir] secdir review of draft-ietf-dnsext-axfr-… Chris Lonvick
- Re: [secdir] secdir review of draft-ietf-dnsext-a… Chris Lonvick
- Re: [secdir] secdir review of draft-ietf-dnsext-a… Alfred Hönes