Re: [secdir] secdir review of draft-ietf-dnsext-axfr-clarify-13
Alfred Hönes <ah@TR-Sys.de> Tue, 02 March 2010 14:46 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4481B28C119; Tue, 2 Mar 2010 06:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.001
X-Spam-Level: **
X-Spam-Status: No, score=2.001 tagged_above=-999 required=5 tests=[AWL=0.750, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8Ef7fhNeVa9; Tue, 2 Mar 2010 06:46:16 -0800 (PST)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id F11BC3A8AA0; Tue, 2 Mar 2010 06:46:14 -0800 (PST)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA216001137; Tue, 2 Mar 2010 15:45:37 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id PAA16394; Tue, 2 Mar 2010 15:45:36 +0100 (MEZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <201003021445.PAA16394@TR-Sys.de>
To: clonvick@cisco.com
Date: Tue, 02 Mar 2010 15:45:35 +0100
In-Reply-To: <Pine.GSO.4.63.1002270839580.7577@sjc-cde-011.cisco.com> from Chris Lonvick at Mar "1, " 2010 "01:24:13" pm
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 02 Mar 2010 10:52:33 -0800
Cc: draft-ietf-dnsext-axfr-clarify.all@gamay.tools.IETF.ORG, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-dnsext-axfr-clarify-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 14:46:17 -0000
Chris,
thanks for your detailed review. See detailed responses inline.
> Hi,
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> Overall, I found no problems with the document. It is well written and
> very explanatory. The following notes and suggestions are editorial.
Thanks for this former judgement in particular.
It deemed specifically important for a topic that some years ago
had caused controversies to be as clear and logically consistent
as possible and to explain therein the reasons to write that
document -- the very cursory text in STD 13 that essentially had
laid the grounds for diverging exegesis.
>
> It would be nice to reference the security considerations of RFCs 1034
> and 1035 just to say that this specification doesn't add any new
> considerations, however those documents don't have any security
> considerations sections. Would the authors then consider something
> like the following (which would be the first paragraph in Section 8):
> This document is a clarification of a mechanism outlined in RFCs 1034
> and 1035 and as such does not add any new security considerations.
> The security considerations relevent to the deployment of this
> specification are noted in RFC 4033.
Unless someone opposes, such text can be added, sure.
But in that case, wouldn't RFC 3833 be a better choice than RFC 4033?
RFC 4033 indeed contains considerations that go beyond DNSSEC, but
the more generic security considerations for the DNS in general are
in RFC 3833. I suggest to add the following text:
| This document is a clarification of a mechanism outlined in RFCs 1034
| and 1035 and as such does not add any new security considerations.
| RFC 3833 [RFC3833] is devoted entirely to security considerations for
| the DNS; its Section 4.3 delineates zone transfer security aspects
| from the security threats addressed by DNSSEC.
[ + add an entry [RFC3833] to Section 12.2 (Informative References). ]
Does that make sense to you?
> In my first reading of the document, I was unfamiliar with the term
> "mbz". I'd suggest expanding the acronym in one place.
The first appearance of "mbz" is in Section 2.1.1, enclosed in (single)
quotes, and tagged with "-- see Note c)", where Note c) (at the bottom
of page 9) contains the explanation:
c) 'mbz' -- The client MUST set this bit to 0, the server MUST ignore
it.
'mbz' is used more as a user-friendly symbol -- at first glance similar
to "MUST be 0", but actually quite different -- for the classification
of fields than a literal acronym (and hence also written on lowercase),
and the common expansion "must be zero" deliberately has been omitted
because of anecdotal evidence that implementors have understood that as
an encouragement, or even requirement, to check for value 0 on receipt,
which is contrary to what we want.
Note: Similar considerations apply to 'n/a' ( same section, Note b) ).
> Thanks,
> Chris
>
Kind regards,
Alfred.
--
+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. |
| Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 |
| D-71254 Ditzingen | E-Mail: ah@TR-Sys.de |
+------------------------+--------------------------------------------+
- [secdir] secdir review of draft-ietf-dnsext-axfr-… Chris Lonvick
- Re: [secdir] secdir review of draft-ietf-dnsext-a… Chris Lonvick
- Re: [secdir] secdir review of draft-ietf-dnsext-a… Alfred Hönes