[secdir] SECDIR review of draft-ietf-dnsop-nxdomain-cut

Adam Montville <adam.w.montville@gmail.com> Tue, 26 July 2016 20:38 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C850312D94F; Tue, 26 Jul 2016 13:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MsPgHzOAtj-4; Tue, 26 Jul 2016 13:38:44 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B26D912D5DB; Tue, 26 Jul 2016 13:38:41 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id q83so42066114iod.1; Tue, 26 Jul 2016 13:38:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:date:message-id:to:mime-version; bh=lCUER9FPl49r9eoDVzSJ4g9DGngbZNYCgEu41bG9S9Y=; b=QUDtn+uD12tNL42CVfSZTSLmkZKTDbO2p0xNKtlX3R76Q/bwt/B7whNQ+g3BR4ZYR2 8gqannwa25HC2BXsBfstiowbGttfOuZQTQr3KX4DWSqKpjpUidssmPd7pw7IL942Dx26 Zg8ak2Fg59dnmmznSpucPVhu8GYG7nw75mkF94OcUjZTSiz9jqazPWckqPXhfTi1KmpJ A0kp3lq147LQ4T4M4qkXKkRWmqCO4bzRjb7IfVzEEyldTwYgGMhf+LH0lHquZEkh9F5c iof3pfO4QWFHpuWLDVCNfD0zeQfnSu2PWUPy8UDu8i+TXOoiQjAREvv5UubSGMMIhokj tPuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:date:message-id:to:mime-version; bh=lCUER9FPl49r9eoDVzSJ4g9DGngbZNYCgEu41bG9S9Y=; b=OofXUGM8J5EwwGobdvnhHGtISklrdfWrlmGREWcutORHs9VvH+pZrViLOaGba5qH/U 53gqRD4KjUHnRFFOTiZYB0aeOFUauxixGl15swQNgarEwRYQkx7lX+BrahlQhCUcO7ZE ouMYuavqGcaxLo0OkAoxuLeluflJ6hWv9VxZqR1vR3E/D9ucCXrA/Qld8Z6waWY3T5Gy 2eg5b/Tp2b0iiIOWzphAJtfMnlCCpe6p9GxCh1+CJjZkPNOSDTo2c4AwmBaUdFGv48z4 SIss9biwvR4N+HfjhNuPWJ80631x8ALrkvyak3oGILIHn6t8c07POCQ+ERwLsaNsumEW BdMg==
X-Gm-Message-State: AEkoouvI3RZ9PsXXUlSOWPzYx++X0lLElub4o2gXqomsTjINYSIhooXqSiz350R36X3yWg==
X-Received: by 10.157.40.215 with SMTP id s81mr14727953ota.160.1469565520794; Tue, 26 Jul 2016 13:38:40 -0700 (PDT)
Received: from adams-mbp.attlocal.net (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id l191sm984184oib.2.2016.07.26.13.38.38 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 26 Jul 2016 13:38:39 -0700 (PDT)
From: Adam Montville <adam.w.montville@gmail.com>
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_96301584-1359-4E37-B14D-8A8DF85E8328"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Tue, 26 Jul 2016 15:38:34 -0500
Message-Id: <C4AA13ED-7D78-4AD0-B65E-E22E214A90D3@gmail.com>
To: The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-dnsop-nxdomain-cut.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/jUQeCToOdDdnnudrcUyRb52J3wE>
Subject: [secdir] SECDIR review of draft-ietf-dnsop-nxdomain-cut
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 20:38:47 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document is: Ready

This document explains the reasoning behind, and advantages of, NXDOMAIN cut—a method of ensuring that non-existence of a node in the domain name tree implies non-existence of the entire sub-tree.  The solution does seem to require DNSSEC, as mentioned in the security considerations section, to avoid certain DOS circumstances (which are already possible, but potentially amplified by NXDOMAIN cut).