[secdir] review of draft-iab-2870bis-01

"Klaas Wierenga (kwiereng)" <kwiereng@cisco.com> Fri, 30 May 2014 08:24 UTC

Return-Path: <kwiereng@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 805231A026D; Fri, 30 May 2014 01:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id hyn8KwTiyv5s; Fri, 30 May 2014 01:24:14 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC5CC1A6EF8; Fri, 30 May 2014 01:24:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1867; q=dns/txt; s=iport; t=1401438250; x=1402647850; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=T22qZa/7VvZBjRkNHG03eSsrwLDvxH2pOawgKl16PCU=; b=M0C7oMUazVryBbQ+HRvYT7rXhcpnGUZD2K7ydyzca/eLucBKfR7XNv91 pmEss+sK1qZ6x1IdaaaETVnpRp3YQ41NKzkoikDYFvXmYoWZO76KK0XCb YkKz3BbKVLp6LBF9VlZ95+b8l6Tp6vh6xekdU6Ck4HjlyyiFfvgxaz8hp k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhgGADo/iFOtJV2U/2dsb2JhbABZgweBKqoVAQEBAQEBBQEFmRoWdIIsgQsBgQAnBAGIVNZ1F4VVjC+BFQSZepMsgziCLw
X-IronPort-AV: E=Sophos;i="4.98,939,1392163200"; d="scan'208";a="329137321"
Received: from rcdn-core-12.cisco.com ([]) by rcdn-iport-8.cisco.com with ESMTP; 30 May 2014 08:24:09 +0000
Received: from xhc-rcd-x11.cisco.com (xhc-rcd-x11.cisco.com []) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s4U8O9YZ000415 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 30 May 2014 08:24:09 GMT
Received: from xmb-aln-x12.cisco.com ([]) by xhc-rcd-x11.cisco.com ([]) with mapi id 14.03.0123.003; Fri, 30 May 2014 03:24:09 -0500
From: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-iab-2870bis.all@tools.ietf.org" <draft-iab-2870bis.all@tools.ietf.org>
Thread-Topic: review of draft-iab-2870bis-01
Thread-Index: AQHPe+CHOiNbHuQdUUWnnFqhc5tLFw==
Date: Fri, 30 May 2014 08:24:08 +0000
Message-ID: <0B5213DB-58F9-4947-BB2E-D5EACC0C42FB@cisco.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <F8257CBFD0F16E498CD692AF11FC8657@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/OSrS20g0aSqxIBSukgIdMlhEAlM
Subject: [secdir] review of draft-iab-2870bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2014 08:24:15 -0000


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document specifies he protocol and deployment requirements expected to be implemented for the DNS root name service, operational requirements are taken out of 2870, those are published separately (one hopes, see below).
The document is short (thank you! ;-) and clear. I consider it ready with a few issues:


- paragraph 3 (deployment requirements):

"The root name service:

      MUST answer queries from any entity conforming to [RFC1122] with a
      valid IP address.”

I find this a bit confusing. Perhaps showing my ignorance, but should it not be be “… with a valid IP-address or a referral to an authoritative name server”?

- paragraph 4 (security considerations):

This is a bit weak imo. 

At the very least I would expect some discussion about privacy here or in a separate section “privacy considerations”, queries to the root give good insight into what sites the requester is visiting, mitigated by the fact that most queries will not reach the root due to caching of responses. In any case worth some discussion in the era of pervasive surveillance….

Furthermore, the reference to [RSSAC-001] leads to a list of members of RSSAC, not to a document. A quick search at the RSSAC site also didn’t get me to any document called "Service Expectations of Root Servers”, only to the project that was supposed to deliver it. I think you need to fix that reference.


Hope this helps,