Re: [secdir] secdir review of draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03

"Livingood, Jason" <> Sun, 29 May 2011 18:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 79904E0736; Sun, 29 May 2011 11:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -108.436
X-Spam-Status: No, score=-108.436 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C8GHfs7PSXCH; Sun, 29 May 2011 11:44:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9A93EE0679; Sun, 29 May 2011 11:44:25 -0700 (PDT)
Received: from ([]) by with ESMTP with TLS id 5503620.127904555; Sun, 29 May 2011 14:44:22 -0400
Received: from ([fe80::6134:ea50:286a:c0]) by ([fe80::d1dd:b302:b617:3755%12]) with mapi id 14.01.0289.001; Sun, 29 May 2011 14:44:21 -0400
From: "Livingood, Jason" <>
To: Russ Mundy <>, "" <>
Thread-Topic: secdir review of draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03
Thread-Index: AQHMCTn9fR3di036FkigKoxmcb9XeZSkTl2A
Date: Sun, 29 May 2011 18:44:21 +0000
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_CA080B2E28969jasonlivingoodcablecomcastcom_"
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 29 May 2011 12:18:43 -0700
Cc: "" <>, "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 29 May 2011 18:44:27 -0000

Thanks for your review, Russ. I'll be posting an updated –04 revision soon, once I make it through all the bits of other feedback in my queue. Some specific responses are inline below.

Thank you!

On 5/2/11 3:58 PM, "Russ Mundy" <<>> wrote:

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

I found the document to be well written as well as providing sound technical descriptions of the topic of DNS Whitelisting.

>From a security review perspective, I do have a suggestion for section 10 Security Considerations.  The section infers (at least to me) that there is something different or unique for configuring DNS Whitelist configuration protection from other configuration settings for name servers.  Unless I've misunderstood how servers actually implement whitelisting, it uses the same configuration mechanisms and files as any other name server ACL or many other name server configuration settings - _all_ the configuration settings for a name server should be protected so that only authorized individuals can change them.  Modifying the wording to say something to the effect of "Just as all configuration settings for name servers should be protected by appropriate procedures and systems ..."

[JL] Great suggestion — and that has been added to the upcoming update.

Russ Mundy