Last Call Review of draft-iab-2870bis-01
review-iab-2870bis-01-secdir-lc-wierenga-2014-05-30-00

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document specifies he protocol and deployment requirements expected to be
implemented for the DNS root name service, operational requirements are taken
out of 2870, those are published separately (one hopes, see below). The
document is short (thank you! ;-) and clear. I consider it ready with a few
issues:

===

- paragraph 3 (deployment requirements):

"The root name service:

      MUST answer queries from any entity conforming to [RFC1122] with a
      valid IP address.”

I find this a bit confusing. Perhaps showing my ignorance, but should it not be
be “… with a valid IP-address or a referral to an authoritative name server”?

- paragraph 4 (security considerations):

This is a bit weak imo.

At the very least I would expect some discussion about privacy here or in a
separate section “privacy considerations”, queries to the root give good
insight into what sites the requester is visiting, mitigated by the fact that
most queries will not reach the root due to caching of responses. In any case
worth some discussion in the era of pervasive surveillance….

Furthermore, the reference to [RSSAC-001] leads to a list of members of RSSAC,
not to a document. A quick search at the RSSAC site also didn’t get me to any
document called "Service Expectations of Root Servers”, only to the project
that was supposed to deliver it. I think you need to fix that reference.

===

Hope this helps,

Klaas