CHAIN Query Requests in DNS
draft-ietf-dnsop-edns-chain-query-07

[Ballot comment]
-- Section 6.3 --

  It is RECOMMENDED that TCP sessions not immediately be closed after
  the DNS answer to the first query is received.  It is recommended to
  use [TCP-KEEPALIVE].

A very tiny point: it strikes me that the 2119-level "RECOMMENDED" is on the wrong half of this -- I think the 2119-level recommendation should be on the TCP-KEEPALIVE part.  I'd word it this way, but you can certainly ignore this if you prefer, and no response is necessary:

NEW
  The use of [TCP-KEEPALIVE] on DNS TCP sessions is RECOMMENDED, and 
  thus TCP sessions should not immediately be closed after the DNS
  answer to the first query is received.
END

[Ballot comment]
Modulo the missing privacy issues in section 8, I support the publication of this document and the resulting experimentation to reduce the latency of DNSSEC validation.

[Ballot comment]


- In section 3 you promised me privacy considerations in section
8 but I didn't find any there. That was almost a DISCUSS, but
since fixing it is easy and I assume won't be controversial I
can stick with a YES ballot:-)

- I would suggest that you do note in section 8, that the fqdn
in the CHAIN option could allow an attacker to (re-)identify a
client. E.g. if the attacker sees that you have validated
tetbed.ie before that could single you out, even if you have
changed your n/w, cilent IP address etc. Presumably that would
be a relatively long lasting concern as well, as RRSIG expiry
tends to be weeks ahead. I think just noting that and maybe
saying that DPRIVE is a likely mitigation would be a good thing
to do.

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-dnsop-edns-chain-query-05.txt. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there is a single action which IANA must complete.

In the DNS EDNS0 Option Codes (OPT) subregistry of the Domain Name System (DNS) Parameters registry located at:

https://www.iana.org/assignments/dns-parameters/

the current value of 13 will have its reference changed to [ RFC-to-be ].

The revised entry will be:

Value: 13
Name: Chain
Status: Optional
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

IANA understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: tjw.ietf@gmail.com, joelja@gmail.com, dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-edns-chain-query@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Chain Query requests in DNS) to Experimental RFC


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document:
- 'Chain Query requests in DNS'
  as Experimental RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-01-18. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document defines an EDNS0 extension that can be used by a
  security-aware validating Resolver configured to use a Forwarder to
  send a single query, requesting a complete validation path along with
  the regular query answer.  The reduction in queries lowers the
  latency and reduces the need to send multiple queries at once.  This
  extension mandates the use of source IP verified transport such as
  TCP or UDP with EDNS-COOKIE so it cannot be abused in amplification
  attacks.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-chain-query/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-chain-query/ballot/


No IPR declarations have been submitted directly on this I-D.

1. Summary

Document Shepherd:  Tim Wicinski
Area Director:      Joel Jaggeli

Document Type: Experimental

This document defines an EDNS0 extension that can be used by a security-aware validating Resolver configured to use a Forwarder to send a single query, requesting a complete validation path along with the regular query answer.

2. Review and Consensus

This document was heavily reviewed, and discussed by the Working Group. There had been a few operational issues brought up that were resolved.  During the WGLC, there was an argument from one person that this could be solved using a different mechanism. It was pointed out that the other mechanism has never been attempted or implemented.  It is worth reading for a sense of the discussion that started here:

https://mailarchive.ietf.org/arch/msg/dnsop/YAOKdXMZe4iMt2HV0CT-cAtjVKQ

The WG is behind this document.  There are some reviews from the Apps Area that helped clean up the document.

As this is experimental, there are current attempts to implement this.  As operational knowledge becomes available, this document will move toward Proposed Standard.

3. Intellectual Property

There are no IPR related to this document.

4. Other Points

Downward References:

There currently exists normative references to Informational or Experimental RFCs. We are working with the Authors to clear these up.

Note any downward references (see RFC 3967) and whether they appear in the DOWNREF Registry (​http://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry), as these need to be announced during Last Call.

IANA Considerations:

IANA has assigned option code 13 in the "DNS EDNS0 Option Codes (OPT)" registry.

Checklist

This section is not meant to be submitted, but is here as a useful checklist of things the document shepherd is expected to have verified before publication is requested from the responsible Area Director. If the answers to any of these is "no", please explain the situation in the body of the writeup.

X Does the shepherd stand behind the document and think the document is ready for publication?

X Is the correct RFC type indicated in the title page header?

X Is the abstract both brief and sufficient, and does it stand alone as a brief summary?

X Is the intent of the document accurately and adequately explained in the introduction?

X Have all required formal reviews (MIB Doctor, Media Type, URI, etc.) been requested and/or completed?

X Has the shepherd performed automated checks -- idnits (see ​http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist), checks of BNF rules, XML code and schemas, MIB definitions, and so on -- and determined that the document passes the tests? (In general, nits should be fixed before the document is sent to the IESG. If there are reasons that some remain (false positives, perhaps, or abnormal things that are necessary for this particular document), explain them.)

X Has each author stated that their direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79?

- Have all references within this document been identified as either normative or informative, and does the shepherd agree with how they have been classified?

- Are all normative references made to documents that are ready for advancement and are otherwise in a clear state?

X If publication of this document changes the status of any existing RFCs, are those RFCs listed on the title page header, and are the changes listed in the abstract and discussed (explained, not just mentioned) in the introduction?

X If this is a "bis" document, have all of the errata been considered?

X IANA Considerations:
    - Are the IANA Considerations clear and complete? Remember that IANA have to understand unambiguously what's being requested, so they can perform the required actions.
    - Are all protocol extensions that the document makes associated with the appropriate reservations in IANA registries?
    - Are all IANA registries referred to by their exact names (check them in ​http://www.iana.org/protocols/ to be sure)?
    - Have you checked that any registrations made by this document correctly follow the policies and procedures for the appropriate registries?
    - For registrations that require expert review (policies of Expert Review or Specification Required), have you or the working group had any early review done, to make sure the requests are ready for last call?
    - For any new registries that this document creates, has the working group actively chosen the allocation procedures and policies and discussed the alternatives? Have reasonable registry names been chosen (that will not be confused with those of other registries), and have the initial contents and valid value ranges been clearly specified?