Last Call Review of draft-ietf-dnsext-dnssec-algo-signal-09
review-ietf-dnsext-dnssec-algo-signal-09-secdir-lc-moriarty-2013-04-25-00

Request Review of draft-ietf-dnsext-dnssec-algo-signal
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-04-23
Requested 2013-03-21
Authors Steve Crocker, Scott Rose
Draft last updated 2013-04-25
Completed reviews Genart Last Call review of -09 by Meral Shirazipour (diff)
Genart Telechat review of -10 by Meral Shirazipour
Secdir Last Call review of -09 by Kathleen Moriarty (diff)
Assignment Reviewer Kathleen Moriarty
State Completed
Review review-ietf-dnsext-dnssec-algo-signal-09-secdir-lc-moriarty-2013-04-25
Reviewed rev. 09 (document currently at 10)
Review result Has Nits
Review completed: 2013-04-25

Review
review-ietf-dnsext-dnssec-algo-signal-09-secdir-lc-moriarty-2013-04-25



I have reviewed this document as part of the security directorate's




ongoing effort to review all IETF documents being processed by the




IESG.  These comments were written primarily for the benefit of the




security area directors.  Document editors and WG chairs should treat




these comments just like any other last call comments.




 




Summary: This document specifies a way for a client to signal its digital




   signature and hash algorithm knowledge to a cache or server.  

The intent is for it to be used by cache or server administrators to track evolving algorithm support. 





 




 




Detail: The draft seems straightforward and is just a method for clients to notify the server of supported algorithms.  The only other attack I can think of, that is not mentioned, would be a denial of service. 
You may want to add this to the security considerations and any notes on how it can be prevented (connections or logs).




 




Best regards,




Kathleen