[secdir] Secdir last call review of draft-cheshire-sudn-ipv4only-dot-arpa-15
Rich Salz via Datatracker <noreply@ietf.org> Thu, 23 January 2020 17:11 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DAC812093B; Thu, 23 Jan 2020 09:11:12 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Rich Salz via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: last-call@ietf.org, draft-cheshire-sudn-ipv4only-dot-arpa.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.116.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Rich Salz <rsalz@akamai.com>
Message-ID: <157979947223.22606.1389820328667672093@ietfa.amsl.com>
Date: Thu, 23 Jan 2020 09:11:12 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/A78yNC9g4Mt6G7CDc5hrca0ZdqU>
Subject: [secdir] Secdir last call review of draft-cheshire-sudn-ipv4only-dot-arpa-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 17:11:12 -0000
Reviewer: Rich Salz Review result: Ready This is the security directorate review done on behalf of the Security AD's. Others should treat this like a regular last-call review. This document fills in a hole: RFC 7050 reserved the special DNS name "ipv4only.arpa" for determining how a client can find out its local network NAT64 prefix, but did not finish the job by not registering that name in the Special-Use Domain Name registry (SUDN). I was surprised to see that this was an AD-sponsored document; various AD's may wish to discuss the rationale during IESG review. The paranoic in me finds it interesting that https://datatracker.ietf.org/doc/draft-cheshire-sudn-ipv4only-dot-arpa/shepherdwriteup/ has no answer to question 9. :) This is a good document plugging a hole, and explaining the impact on DNS in a variety of configurations. Ship it. Sec 3 discusses the intent and why ipv4only.arpa is special. Sec 4 discusses what happens when software doesn't do the implied/required special-casing. It covers several types of deployments. Sec 5 provides what is missing from RFC 7050, but arguably is "better" because of the experience learned. There is interaction between DNS64 and DNSSEC that is described in Sec 6. A variety of mechanisms are discussed and a migration path is proposed, ultimately justifying why the zone must be insecure. Sec 8, the SUDN registration section, recapitulates the previous sections without rationale or side-notes: if you read only one setion, read this.
- [secdir] Secdir last call review of draft-cheshir… Rich Salz via Datatracker