Skip to main content

Last Call Review of draft-ietf-add-split-horizon-authority-06
review-ietf-add-split-horizon-authority-06-secdir-lc-ladd-2023-11-24-00

Request Review of draft-ietf-add-split-horizon-authority
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-12-01
Requested 2023-11-09
Requested by David C Lawrence
Authors Tirumaleswar Reddy.K , Dan Wing , Kevin Smith , Benjamin M. Schwartz
I-D last updated 2023-11-24
Completed reviews Intdir Last Call review of -06 by Bob Halley (diff)
Dnsdir Last Call review of -06 by Anthony Somerset (diff)
Opsdir Last Call review of -06 by Tianran Zhou (diff)
Secdir Last Call review of -06 by Watson Ladd (diff)
Assignment Reviewer Watson Ladd
State Completed
Request Last Call review on draft-ietf-add-split-horizon-authority by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/1UeB3kGUEnMo3rK-1O9UhLus4qQ
Reviewed revision 06 (document currently at 10)
Result Has issues
Completed 2023-11-24
review-ietf-add-split-horizon-authority-06-secdir-lc-ladd-2023-11-24-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

The summary of the review is has issues. I found a few editorial things, and
have one question, but I suspect that these can be resolved easily.

Firstly the description of split horizon seems to say that any time the
resolver is authoritative for just some names and recurses for others. I don't
think this is right: the split is that the answers given are different from
what they are for any other resolver, and that's what creates the need for this
draft. This is defined correctly in section 2, it's just a need to reword the
intro slightly.

In Section 5 I think more clarity is needed about which DNS name needs to
match, and how the matching is to be done, perhaps citing a UTA doc. I think
what's supposed to be said is that the ADN is a subjectAltName matching under
RFC 6125.

The one more serious question I have is how does rotation work. The DNS changes
may not take place together with the authorization claim transmission, and this
seems underspecified. Does the split horizon break until the two are in sync
again?

Sincerely,
Watson Ladd