Skip to main content

Last Call Review of draft-ietf-dnsop-avoid-fragmentation-15
review-ietf-dnsop-avoid-fragmentation-15-secdir-lc-eastlake-2023-10-28-00

Request Review of draft-ietf-dnsop-avoid-fragmentation
Requested revision No specific revision (document currently at 20)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-10-27
Requested 2023-10-13
Authors Kazunori Fujiwara , Paul A. Vixie
I-D last updated 2023-10-28
Completed reviews Dnsdir Telechat review of -16 by Vladimír Čunát (diff)
Artart Telechat review of -16 by Barry Leiba (diff)
Secdir Telechat review of -16 by Donald E. Eastlake 3rd (diff)
Dnsdir Last Call review of -15 by Vladimír Čunát (diff)
Artart Last Call review of -15 by Barry Leiba (diff)
Tsvart Last Call review of -15 by Mirja Kühlewind (diff)
Dnsdir Last Call review of -13 by Vladimír Čunát (diff)
Secdir Last Call review of -15 by Donald E. Eastlake 3rd (diff)
Genart Last Call review of -15 by Christer Holmberg (diff)
Assignment Reviewer Donald E. Eastlake 3rd
State Completed
Request Last Call review on draft-ietf-dnsop-avoid-fragmentation by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/HU2ylFO_zLpJMqxmv2XVhv6cML0
Reviewed revision 15 (document currently at 20)
Result Has issues
Completed 2023-10-28
review-ietf-dnsop-avoid-fragmentation-15-secdir-lc-eastlake-2023-10-28-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. Document editors and WG chairs should treat these comments just
like any other last call comments.

The summary of the review is Ready with Issues.

I debated with myself as to whether the things that were bothering me
about this draft were small issues or big nits. I ended up deciding
that they were issues, although it might just be me.

The goal of this Best Current Practice draft is to, as the title says,
avoid fragmentation. This is for better security over UDP and better
efficiency over TCP for DNS.

Security
--------

I don't understand why R2 is not a SHOULD now.

Please consider moving Appendix A into the Security Considerations
Section. I think Appendix A is almost all Security Considerations.

Other Issues
------------

My first problem is with the first sentence in the abstract. The mere
existence of EDNS0 doesn't "enable" large responses. There seems to be
a lot missing in this sentence.  I suggest something like "The widely
deployed EDNS0 feature in the DNS enables a DNS receiver to indicate
its received UDP message size capacity which supports the sending of
large UDP responses by a DNS server." Similar problem in the first
paragraph of the Introduction although split over multiple sentences.

A Best Current Practice document should specify things, not propose
them. The first two occurrences of "propose" in this document should
be changed to "specify" and the Section 3 title should be changed to
"How to avoid IP fragmentation in DNS". Other occurrences of
"propose", which are all in Appendices, are OK.

In Section 3, why are R2 and R4 only "MAY"? What not "SHOULD"?

In Section 3, R3, for clarity, suggest inserting "minimum of" so it
would start with "UDP responders SHOULD compose response packets that
fit in the minimum of the ..."

Section 4: Not all large responses are the result of zone
configuration.  For example, queries may use the TYPE * (ALL).
Wording should be something like "Large DNS responses are typically
the result of zone configuration."

Appendix D: It is unusual to have lots of details of particular
implementations in a BCP. This information will become out of
date. Should there be an RFC Editor comment to remove this appendix
before publication?

Nits
----

According to the nits checker:

     the RFC 2119 boilerplate has an error, and

     draft-ietf-dnsop-glue-is-not-optional has been published as RFC
     9471 so the reference should be updated.

Suggest eliminating the Section 5.1 header and changing the Section
5. title to "Protocol compliance considerations".

Suggest changing Section 6 to be "This document requests no IANA
actions."

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com