Skip to main content

Last Call Review of draft-ietf-dnsop-dns-tcp-requirements-12
review-ietf-dnsop-dns-tcp-requirements-12-secdir-lc-dekok-2021-09-02-00

Request Review of draft-ietf-dnsop-dns-tcp-requirements
Requested revision No specific revision (document currently at 15)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2021-09-03
Requested 2021-08-20
Authors John Kristoff , Duane Wessels
Draft last updated 2021-09-02
Completed reviews Tsvart Last Call review of -12 by Mirja Kühlewind (diff)
Artart Last Call review of -12 by Jean Mahoney (diff)
Secdir Last Call review of -12 by Alan DeKok (diff)
Genart Last Call review of -12 by Dan Romascanu (diff)
Intdir Telechat review of -13 by Ron Bonica (diff)
Assignment Reviewer Alan DeKok
State Completed Snapshot
Review review-ietf-dnsop-dns-tcp-requirements-12-secdir-lc-dekok-2021-09-02
Posted at https://mailarchive.ietf.org/arch/msg/secdir/LvnyNRIN9O0rSrN8Qf1LBSsVwiM
Reviewed revision 12 (document currently at 15)
Result Has Nits
Completed 2021-08-27
review-ietf-dnsop-dns-tcp-requirements-12-secdir-lc-dekok-2021-09-02-00
Reviewer: Alan DeKok
Review result: Has nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

  Over all, I think this document is clear, useful and well written.

Section 1 says:

   ... Section 6.1.3.2 to clarify that all DNS resolvers and recursive MUST
   support and service both TCP and UDP queries.

NIT: bare "recursive" should perhaps be "recursive servers", to match similar
text elsewhere in the document.

  It may be good to update Section 3 with notes on "head of line blocking". 
  This text could arguably be in RFC 7766, but having it here is a reasonable
  alternative:

   When using UDP as a transport for DNS, there is no ordering of
   packets.  If a packet is lost, that loss has no
   effect on subsequent packets sent by that client or server.

   Unlike UDP, TCP is subject to issues related to Head of Line (HoL)
   blocking.  This occurs when a TCP segment is lost and a subsequent
   TCP segment arrives out of order.  While the DNS implementation can
   process DNS packets out of order, the semantics of TCP makes this
   impossible.  This limitation can lower the maximum packet processing
   rate of DNS over TCP.

Section 6 says:

   Developers SHOULD also keep in mind connection reuse, query
   pipelining, and out-of-order responses when building and testing DNS
   monitoring applications.

  It would also be good to note that if the monitoring software tracks requests
  and responses, then clients could potentially attack the monitoring software,
  too.  i.e. by sending large volumes of requests to "black hole" IPs, which
  will never get a response.   So the monitoring software should have both
  timeouts for request/response tracking, and also limit the total number of
  request/responses which are monitored.