[secdir] secdir review of draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03

Russ Mundy <mundy@tislabs.com> Tue, 03 May 2011 02:49 UTC

Return-Path: <mundy@tislabs.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A42A5E0727; Mon, 2 May 2011 19:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.53
X-Spam-Level:
X-Spam-Status: No, score=-1.53 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBBI9nxELoYT; Mon, 2 May 2011 19:49:03 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 07DAFE06EF; Mon, 2 May 2011 19:49:02 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p432Ta3f021267; Mon, 2 May 2011 21:29:36 -0500
Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p432TYZp011361; Mon, 2 May 2011 21:29:34 -0500
Received: from nermal.tislabs.com ([192.94.214.97]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 2 May 2011 15:58:16 -0400
From: Russ Mundy <mundy@tislabs.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Mon, 2 May 2011 15:58:16 -0400
Message-Id: <BEDC9811-A413-4858-8F2C-27EE13417C30@tislabs.com>
To: secdir@ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-OriginalArrivalTime: 02 May 2011 19:58:16.0843 (UTC) FILETIME=[470C1DB0:01CC0903]
Cc: draft-ietf-v6ops-v6-aaaa-whitelisting-implications.all@tools.ietf.org, iesg@ietf.org, Russ Mundy <mundy@sparta.com>
Subject: [secdir] secdir review of draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 May 2011 02:49:03 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

I found the document to be well written as well as providing sound technical descriptions of the topic of DNS Whitelisting.  

From a security review perspective, I do have a suggestion for section 10 Security Considerations.  The section infers (at least to me) that there is something different or unique for configuring DNS Whitelist configuration protection from other configuration settings for name servers.  Unless I've misunderstood how servers actually implement whitelisting, it uses the same configuration mechanisms and files as any other name server ACL or many other name server configuration settings - _all_ the configuration settings for a name server should be protected so that only authorized individuals can change them.  Modifying the wording to say something to the effect of "Just as all configuration settings for name servers should be protected by appropriate procedures and systems ..."


Russ Mundy