IETF Logo Mail Archive

[secdir] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12

Alan DeKok <aland@freeradius.org> Fri, 27 August 2021 20:28 UTC

Return-Path: <aland@freeradius.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A67F13A164C; Fri, 27 Aug 2021 13:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dqt65OW2L9oH; Fri, 27 Aug 2021 13:28:19 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA2153A164B; Fri, 27 Aug 2021 13:28:15 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id C274A216; Fri, 27 Aug 2021 20:28:09 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=freeradius.org
From: Alan DeKok <aland@freeradius.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Message-Id: <0DA9ABEC-E5F0-4479-B3D7-F03E6BEB7DF9@freeradius.org>
Date: Fri, 27 Aug 2021 16:28:07 -0400
To: secdir@ietf.org, draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/LvnyNRIN9O0rSrN8Qf1LBSsVwiM>
Subject: [secdir] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 20:28:22 -0000

Reviewer: Alan DeKok
Review result: Has nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

  Over all, I think this document is clear, useful and well written.

Section 1 says:

   ... Section 6.1.3.2 to clarify that all DNS resolvers and recursive MUST
   support and service both TCP and UDP queries.

NIT: bare "recursive" should perhaps be "recursive servers", to match similar text elsewhere in the document.


  It may be good to update Section 3 with notes on "head of line blocking".  This text could arguably be in RFC 7766, but having it here is a reasonable alternative:

   When using UDP as a transport for DNS, there is no ordering of
   packets.  If a packet is lost, that loss has no
   effect on subsequent packets sent by that client or server.

   Unlike UDP, TCP is subject to issues related to Head of Line (HoL)
   blocking.  This occurs when a TCP segment is lost and a subsequent
   TCP segment arrives out of order.  While the DNS implementation can
   process DNS packets out of order, the semantics of TCP makes this
   impossible.  This limitation can lower the maximum packet processing
   rate of DNS over TCP.


Section 6 says:

   Developers SHOULD also keep in mind connection reuse, query
   pipelining, and out-of-order responses when building and testing DNS
   monitoring applications.

  It would also be good to note that if the monitoring software tracks requests and responses, then clients could potentially attack the monitoring software, too.  i.e. by sending large volumes of requests to "black hole" IPs, which will never get a response.   So the monitoring software should have both timeouts for request/response tracking, and also limit the total number of request/responses which are monitored.

v2.23.0 | Report a Bug | By Email