[secdir] Secdir review of draft-ietf-dnsop-name-server-management-reqs-04
Magnus Nyström <magnusn@gmail.com> Wed, 27 October 2010 03:29 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76C0E3A697F; Tue, 26 Oct 2010 20:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.185
X-Spam-Level:
X-Spam-Status: No, score=-2.185 tagged_above=-999 required=5 tests=[AWL=-0.113, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, SARE_SUB_OBFU_Q1=0.227]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVBdf91XxjG7; Tue, 26 Oct 2010 20:29:22 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 6FB2D3A6958; Tue, 26 Oct 2010 20:29:21 -0700 (PDT)
Received: by iwn40 with SMTP id 40so263965iwn.31 for <multiple recipients>; Tue, 26 Oct 2010 20:31:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=HnZDH0I4lX8rFwX4b6U6eMCuN4DpXKGyN59Ln6Cpx/E=; b=Mz6QnuXOBIwPmYU3Ih4c98pqIcciCVe65hHWHiUGKFR9vqsMdm6vU2+ZRChXjCFpJi 0AWFKsjOR7hqSMq3dV517A5Rut/8OvIlnAb7dwD8FquBhlaoNL8/mC7HQb0buLZ3Pecy M2/nqiVXDnrV/57EacUUUh/nirNiUeUjdkmMg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=Kv1rL+VRF5ywxuEr3F3ruK8y6RdjRhoaeJIL2Fbp3M/8JZZvI6wWKPTkL4VVNyZ/x8 g9zSQKnw29mKq08lQhJFbEUSBwnlP11QF9+Wel2mb8Tl9dfOFr7tv8hQLj8rdyXB1HLf gME28osgDMyMZjaGdVX+HggNv50p14sCRUqZo=
MIME-Version: 1.0
Received: by 10.231.182.85 with SMTP id cb21mr1479804ibb.49.1288150270015; Tue, 26 Oct 2010 20:31:10 -0700 (PDT)
Received: by 10.231.154.72 with HTTP; Tue, 26 Oct 2010 20:31:09 -0700 (PDT)
Date: Tue, 26 Oct 2010 20:31:09 -0700
Message-ID: <AANLkTi=gq7aS6B2ZGPQR6DGFZ=gcwHA_SKcgBnP0oZM1@mail.gmail.com>
From: Magnus Nyström <magnusn@gmail.com>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-dnsop-name-server-management-reqs@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [secdir] Secdir review of draft-ietf-dnsop-name-server-management-reqs-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 03:29:26 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes requirements on management solutions for name servers. I find this document easy to read and well organized, but have the following security-related suggestions and questions: - Section 3.2.2: When developing requirements for a new management solution, why not require support for DNSSEC? - Section 4.4: "Fine-grained" is not defined. I believe a management solution for name servers always should provide an authorization solution, and would suggest you change the initial sentence of this requirement to say: "The solution MUST be capable of providing an authorization model for any management protocols it introduces to the completed system." - Section 6 (Security Considerations): The first sentence is essentially a tautology: "Any management protocol that meets the criteria discussed in this document needs to support the criteria discussed in Section 4 [in this document] ..." I suggest striking this sentence as those criteria already are mandated anyway. Alternatively, re-formulate to something like: "Any management protocol for which conformance to this document is claimed needs to fully support the criteria discussed in Section 4 ..." -- Magnus
- [secdir] Secdir review of draft-ietf-dnsop-name-s… Magnus Nyström