[secdir] Review of draft-ietf-dnsop-qname-minimisation-07

Shawn M Emery <shawn.emery@oracle.com> Sat, 28 November 2015 07:21 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id DEF361B3093 for <secdir@ietfa.amsl.com>; Fri, 27 Nov 2015 23:21:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id MLwbcoJuUVSA for <secdir@ietfa.amsl.com>; Fri, 27 Nov 2015 23:21:23 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1AA91B3092 for <secdir@ietf.org>; Fri, 27 Nov 2015 23:21:22 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com []) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tAS7LL3h021711 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 28 Nov 2015 07:21:21 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com []) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id tAS7LKo0011691 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 28 Nov 2015 07:21:20 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com []) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id tAS7LKa0019856; Sat, 28 Nov 2015 07:21:20 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 27 Nov 2015 23:21:20 -0800
Message-ID: <56595640.5060206@oracle.com>
Date: Sat, 28 Nov 2015 00:22:40 -0700
From: Shawn M Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: secdir@ietf.org
References: <56025EEB.5060602@oracle.com>
In-Reply-To: <56025EEB.5060602@oracle.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0022.oracle.com []
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/5kWTuOBVO1ohQ6qgkyTL5cVS1oo>
Cc: draft-ietf-dnsop-qname-minimisation.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-dnsop-qname-minimisation-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2015 07:21:24 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft specifies a technique to increase privacy in unencrypted DNS
traffic by not specifying a full domain name to the upstream name server.

The security considerations section does exist and does relent that encryption
would be a better form of privacy, but would require more coordination.  The
section also discloses that this protocol does not help in the case of
recursive resolvers.  I believe that the draft sufficiently describes the
limitations of the QNAME minimization method as specified.

General comments:


Editorial comments:

Should QNAME be initially expanded/defined?
s/therefore do not give/therefore not give/
s/improving performances/improving performance/