Re: [secdir] secdir review of draft-ietf-dnsext-dns-tcp-requirements-03
Ray Bellis <Ray.Bellis@nominet.org.uk> Mon, 14 June 2010 10:49 UTC
Return-Path: <Ray.Bellis@nominet.org.uk>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D2733A6885; Mon, 14 Jun 2010 03:49:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.305
X-Spam-Level:
X-Spam-Status: No, score=-9.305 tagged_above=-999 required=5 tests=[AWL=1.293, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1EXhAjczzF2; Mon, 14 Jun 2010 03:49:37 -0700 (PDT)
Received: from mx4.nominet.org.uk (mx4.nominet.org.uk [213.248.199.24]) by core3.amsl.com (Postfix) with ESMTP id 952093A688B; Mon, 14 Jun 2010 03:49:36 -0700 (PDT)
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:Received:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:Content-Type: MIME-Version; b=krIgTIu8w7O2gl86O/+uzVVtZLlrFlcjMAqmlgxhZiZUIKY+7Q+rv1sZ aoZxsIQ3+rCuTW/MaRCaqdNDee158WOAbYLaF55vgqX4pOWLCF1bxtqVL doaZQpDdoAkcW4W;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=Ray.Bellis@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1276512581; x=1308048581; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Ray=20Bellis=20<Ray.Bellis@nominet.org.uk> |Subject:=20Re:=20secdir=20review=20of=20draft-ietf-dnsex t-dns-tcp-requirements-03|Date:=20Mon,=2014=20Jun=202010 =2010:49:37=20+0000|Message-ID:=20<AA39C80F-2467-40BD-BF2 0-AE7C31A82BC2@nominet.org.uk>|To:=20"<barryleiba@compute r.org>"=20<barryleiba@computer.org>|CC:=20"<secdir@ietf.o rg>"=20<secdir@ietf.org>,=20"<iesg@ietf.org>"=20<iesg@iet f.org>,=0D=0A=09"<draft-ietf-dnsext-dns-tcp-requirements. all@tools.ietf.org>"=0D=0A=09<draft-ietf-dnsext-dns-tcp-r equirements.all@tools.ietf.org>|MIME-Version:=201.0 |In-Reply-To:=20<AANLkTim9z6L2tPiT-6gy_YUdMUr-U3AQeJe1YKW jw2sD@mail.gmail.com>|References:=20<AANLkTim9z6L2tPiT-6g y_YUdMUr-U3AQeJe1YKWjw2sD@mail.gmail.com>; bh=k7SlM6SE4tzTcXskgwG5RSHQVZcZldBnsucLOJT78BE=; b=q1JGzg5vTom9lkUahpc+jkF4x7adqb99FPrvttnikG/vOxK82Il4DiIX Y04kgwYxzx9UUxJ4X7ATuP4FJ3fcA4LiNOnuF2SXAv2FQVn3fOoiu7HMM VSAqdutDi5MCvY4;
X-IronPort-AV: E=Sophos; i="4.53,413,1272841200"; d="scan'208,217"; a="19289450"
Received: from wds-exc2.okna.nominet.org.uk ([213.248.197.145]) by mx4.nominet.org.uk with ESMTP; 14 Jun 2010 11:49:39 +0100
Received: from WDS-EXC1.okna.nominet.org.uk ([fe80::1593:1394:a91f:8f5f]) by wds-exc2.okna.nominet.org.uk ([fe80::7577:eaca:5241:25d4%20]) with mapi; Mon, 14 Jun 2010 11:49:38 +0100
From: Ray Bellis <Ray.Bellis@nominet.org.uk>
To: "<barryleiba@computer.org>" <barryleiba@computer.org>
Thread-Topic: secdir review of draft-ietf-dnsext-dns-tcp-requirements-03
Thread-Index: AQHLA1x1KY8lbbDqwkqxPSjehhszdJKBRxSA
Date: Mon, 14 Jun 2010 10:49:37 +0000
Message-ID: <AA39C80F-2467-40BD-BF20-AE7C31A82BC2@nominet.org.uk>
References: <AANLkTim9z6L2tPiT-6gy_YUdMUr-U3AQeJe1YKWjw2sD@mail.gmail.com>
In-Reply-To: <AANLkTim9z6L2tPiT-6gy_YUdMUr-U3AQeJe1YKWjw2sD@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_AA39C80F246740BDBF20AE7C31A82BC2nominetorguk_"
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 14 Jun 2010 08:03:01 -0700
Cc: "<draft-ietf-dnsext-dns-tcp-requirements.all@tools.ietf.org>" <draft-ietf-dnsext-dns-tcp-requirements.all@tools.ietf.org>, "<iesg@ietf.org>" <iesg@ietf.org>, "<secdir@ietf.org>" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-dnsext-dns-tcp-requirements-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2010 10:49:38 -0000
I have only one minor comment, in the Security Considerations section: At the time of writing the vast majority of TLD authority servers and all of the root name servers support TCP and the author knows of no evidence to suggest that TCP-based DoS attacks against existing DNS infrastructure are commonplace. Since this is a working group document, not an individual or independent submission, I'd rather see "and the dnsext working group knows of no evidence", to stress that the fact was reviewed by the working group, and the statement has working group consensus. This is, of course, assuming that that's truly the case -- if it is not, then I do have an issue with that. Well, during the substantial WG review the working group didn't tell me of any TCP-based DoS attacks against DNS, so in that respect the author _still_ knows of no evidence... ;-) Olafur - what would you recommend? Ray