[secdir] secdir review of draft-ietf-dnsop-obsolete-dlv-00

"Scott G. Kelly" <scott@hyperthought.com> Thu, 26 September 2019 13:20 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42492120839 for <secdir@ietfa.amsl.com>; Thu, 26 Sep 2019 06:20:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vm4YDclcawrH for <secdir@ietfa.amsl.com>; Thu, 26 Sep 2019 06:20:31 -0700 (PDT)
Received: from smtp106.iad3a.emailsrvr.com (smtp106.iad3a.emailsrvr.com [173.203.187.106]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 175881208B8 for <secdir@ietf.org>; Thu, 26 Sep 2019 06:20:31 -0700 (PDT)
Received: from app32.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp22.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 53E3F679B; Thu, 26 Sep 2019 09:20:30 -0400 (EDT)
X-Sender-Id: scott@hyperthought.com
Received: from app32.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Thu, 26 Sep 2019 09:20:30 -0400
Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by app32.wa-webapps.iad3a (Postfix) with ESMTP id 3D1C3E0053; Thu, 26 Sep 2019 09:20:30 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Thu, 26 Sep 2019 06:20:30 -0700 (PDT)
X-Auth-ID: scott@hyperthought.com
Date: Thu, 26 Sep 2019 06:20:30 -0700 (PDT)
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-dnsop-obsolete-dlv.all@ietf.org
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1569504030.247815945@apps.rackspace.com>
X-Mailer: webmail/16.6.0-RC
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/pJkypUiXRfE70sAgZVb_wyc4350>
Subject: [secdir] secdir review of draft-ietf-dnsop-obsolete-dlv-00
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2019 13:20:39 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is ready.

From the abstract, this document obsoletes DNSSEC lookaside validation (DLV) and reclassifies RFCs 4431 and 5074 as Historic.

The document lists all current references to DLV RFCs and describes necessary changes to those RFCs. The security considerations basically say that zones relying on DLV will have to find another way, but that there are no well-known DLV registries, so this number will likely be small.

I'm not a DNSSEC expert, so maybe this is a dumb question, but is there any possibility that someone doesn't get the memo, and continues to rely on some not-so-well-known DLV registry? And if so, what could happen as a result? Anything anyone should care about?

Thanks,

Scott