Skip to main content

Last Call Review of draft-ietf-dnsop-7706bis-07
review-ietf-dnsop-7706bis-07-genart-lc-robles-2020-02-28-00

Request Review of draft-ietf-dnsop-7706bis
Requested revision No specific revision (document currently at 12)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2020-02-28
Requested 2020-02-14
Authors Warren "Ace" Kumari , Paul E. Hoffman
Draft last updated 2020-02-28
Completed reviews Opsdir Last Call review of -07 by Jouni Korhonen (diff)
Secdir Last Call review of -07 by Linda Dunbar (diff)
Genart Last Call review of -07 by Ines Robles (diff)
Assignment Reviewer Ines Robles
State Completed
Review review-ietf-dnsop-7706bis-07-genart-lc-robles-2020-02-28
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/uodhK5c0mTMM5XWLPh7p44rc0pU
Reviewed revision 07 (document currently at 12)
Result Ready with Nits
Completed 2020-02-28
review-ietf-dnsop-7706bis-07-genart-lc-robles-2020-02-28-00
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-dnsop-7706bis-07
Reviewer: Ines Robles
Review Date: 2020-02-28
IETF LC End Date: 2020-02-28
IESG Telechat date: Not scheduled for a telechat

Summary:

The document is well written,  it supplies appendixes with examples.

This document describes a method for the operator of a recursive resolver to
have a complete root zone locally, and to hide queries for the root zone from
outsiders, at the cost of adding some operational fragility for the operator.

I have some minor questions.

Major issues: None

Minor issues: None.

Nits/editorial comments:

1- Appendix B.5: it seems that the link is not valid: <https://knot-
   resolver.readthedocs.io/en/stable/modules.html#root-on-loopback-rfc-
   7706>

  This link worked for me:
  https://knot-resolver.readthedocs.io/en/stable/modules-rfc7706.html.

Questions:

1- It seems that this document replaces RFC7706, but the document states that
it updates RFC7706, is that correct?

2- Abstract: "The cost of adding some operational fragility for the operator",
Does it introduce security considerations that have to be mentioned?

3- Section 1: "Research shows that the vast majority of queries going to the
root are for names that do not exist in the
   root zone." - Do you have some references to that research that can be added
   to the draft?

4- I would expand KSK to Key signing key (KSK).

5- Should this draft add a reference to rfc8499?

Thank you for this document,

Ines.