Last Call Review of draft-ietf-dnsext-dnssec-algo-signal-09

Request Review of draft-ietf-dnsext-dnssec-algo-signal
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-04-23
Requested 2013-03-21
Other Reviews Genart Last Call review of -09 by Meral Shirazipour (diff)
Genart Telechat review of -10 by Meral Shirazipour
Review State Completed
Reviewer Kathleen Moriarty
Review review-ietf-dnsext-dnssec-algo-signal-09-secdir-lc-moriarty-2013-04-25
Posted at
Reviewed rev. 09 (document currently at 10)
Review result Has Nits
Draft last updated 2013-04-25
Review completed: 2013-04-25


I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other last call comments.


Summary: This document specifies a way for a client to signal its digital

   signature and hash algorithm knowledge to a cache or server.  

The intent is for it to be used by cache or server administrators to track evolving algorithm support. 



Detail: The draft seems straightforward and is just a method for clients to notify the server of supported algorithms.  The only other attack I can think of, that is not mentioned, would be a denial of service. 
You may want to add this to the security considerations and any notes on how it can be prevented (connections or logs).


Best regards,