[secdir] Secdir last call review of draft-ietf-dnsop-no-response-issue-14
Catherine Meadows via Datatracker <noreply@ietf.org> Thu, 19 December 2019 15:51 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CFDF12018D; Thu, 19 Dec 2019 07:51:30 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Catherine Meadows via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: last-call@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-no-response-issue.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.113.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Message-ID: <157677069055.27346.2427467441228883400@ietfa.amsl.com>
Date: Thu, 19 Dec 2019 07:51:30 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Q7GzFf58Jf3VHPRvEpyI90MfALc>
Subject: [secdir] Secdir last call review of draft-ietf-dnsop-no-response-issue-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 15:51:31 -0000
Reviewer: Catherine Meadows Review result: Has Nits This draft concerns maintaining the correctness of DNS servers. It lists the common mistakes that noncompliant servers make in responding to queries and gives the correct ones. It also gives a set of tests operators can give to their servers ensure compliance, as well as directions for applying the tests. One of the main security issues discussed is the fact that many servers are configured not to respond to queries outside of their scope because these are construed as an attack, when in fact these are legal queries that should be responded too (generally with a message saying that these are not supported) and that failure to respond can give be misinterpreted as packet loss, given an incorrect picture of the state of the network. The document also discusses the security implications of such misleading responses. The document also warns about security risks of testing, and of removing non-compliant servers, and alternative means of handling these situations. All of the above information is summed up in the security considerations section , and most of it is discussed at more detail in the document itself. I think that the authors have done an excellent job of identifying and explaining security issues, and I consider the document Ready except for one nit. In the places where the security considerations section sums up issues that are discussed in more depth in the document itself (e. g. the first , on the fact that none of the tests should cause any harm to a protocol-compliant server), it would be useful to have a pointer to the section of sections where this information appears.
- [secdir] Secdir last call review of draft-ietf-dn… Catherine Meadows via Datatracker