Re: [secdir] review of draft-iab-2870bis-01

"Moriarty, Kathleen" <kathleen.moriarty@emc.com> Mon, 09 March 2015 22:35 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F6021ACDE9; Mon, 9 Mar 2015 15:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5gozVU1ncrQ; Mon, 9 Mar 2015 15:35:44 -0700 (PDT)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E3501ACDF6; Mon, 9 Mar 2015 15:35:29 -0700 (PDT)
Received: from maildlpprd02.lss.emc.com (maildlpprd02.lss.emc.com [10.253.24.34]) by mailuogwprd01.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t29MZNB9023499 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 9 Mar 2015 18:35:24 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com t29MZNB9023499
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1425940524; bh=9y9uPrIw7gaa9CQh/cAx6bAGhFY=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=KCFYQ0N8atDQCbLvsHV8S7z8b5yCDoCT+azhfqf12tGmoKRsdez479JFRuE2ekKGQ AhkS/cOJ8krMFHKmWA/9QTQ68XJKR4HjuzDBRpCUx3Y9IjQnofgTxCjM5/IS60xuHT DZmgSrNnf+w+XsYl1SgrW0J3j2JThjhjY+f0pQ9E=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com t29MZNB9023499
Received: from mailusrhubprd01.lss.emc.com (mailusrhubprd01.lss.emc.com [10.253.24.19]) by maildlpprd02.lss.emc.com (RSA Interceptor); Mon, 9 Mar 2015 18:34:07 -0400
Received: from mxhub40.corp.emc.com (mxhub40.corp.emc.com [128.222.70.107]) by mailusrhubprd01.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t29MZAWR026746 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 9 Mar 2015 18:35:10 -0400
Received: from MXHUB207.corp.emc.com (10.253.68.33) by mxhub40.corp.emc.com (128.222.70.107) with Microsoft SMTP Server (TLS) id 8.3.327.1; Mon, 9 Mar 2015 18:35:09 -0400
Received: from MX103CL02.corp.emc.com ([169.254.6.227]) by MXHUB207.corp.emc.com ([10.253.68.33]) with mapi id 14.03.0224.002; Mon, 9 Mar 2015 18:35:09 -0400
From: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
To: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
Thread-Topic: [secdir] review of draft-iab-2870bis-01
Thread-Index: AQHPe+CHOiNbHuQdUUWnnFqhc5tLF50WetYs
Date: Mon, 9 Mar 2015 22:35:07 +0000
Message-ID: <15A1776F-0C24-42EE-8EFF-578DA2A0D140@emc.com>
References: <0B5213DB-58F9-4947-BB2E-D5EACC0C42FB@cisco.com>
In-Reply-To: <0B5213DB-58F9-4947-BB2E-D5EACC0C42FB@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd01.lss.emc.com
X-RSA-Classifications: DLM_1, public
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/RuWqgRQ9SOIso7mwPUQtntVZmrQ>
Cc: "draft-iab-2870bis.all@tools.ietf.org" <draft-iab-2870bis.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] review of draft-iab-2870bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 22:35:46 -0000

Hi Klaas,

Thanks for your review of this draft.

Sent from my iPhone

> On May 30, 2014, at 4:24 AM, "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com> wrote:
> 
> Hi,
> 
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
> 
> This document specifies he protocol and deployment requirements expected to be implemented for the DNS root name service, operational requirements are taken out of 2870, those are published separately (one hopes, see below).
> The document is short (thank you! ;-) and clear. I consider it ready with a few issues:
> 
> ===
> 
> - paragraph 3 (deployment requirements):
> 
> "The root name service:
> 
>      MUST answer queries from any entity conforming to [RFC1122] with a
>      valid IP address.”
> 
> I find this a bit confusing. Perhaps showing my ignorance, but should it not be be “… with a valid IP-address or a referral to an authoritative name server”?

This text is getting updated as others found it confusing as well, good catch.
> 
> - paragraph 4 (security considerations):
> 
> This is a bit weak imo. 

Yes, but I'll let it slide (Stephen may have a different opinion) as I think it would be better to deal with the specific security and privacy considerations in each of the referenced RFCs if they get updated.

Thanks again!
Kathleen

> 
> At the very least I would expect some discussion about privacy here or in a separate section “privacy considerations”, queries to the root give good insight into what sites the requester is visiting, mitigated by the fact that most queries will not reach the root due to caching of responses. In any case worth some discussion in the era of pervasive surveillance….
> 
> Furthermore, the reference to [RSSAC-001] leads to a list of members of RSSAC, not to a document. A quick search at the RSSAC site also didn’t get me to any document called "Service Expectations of Root Servers”, only to the project that was supposed to deliver it. I think you need to fix that reference.
> 
> ===
> 
> Hope this helps,
> 
> Klaas
> 
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>