Last Call Review of draft-ietf-dnsop-dnssec-bcp-03
review-ietf-dnsop-dnssec-bcp-03-secdir-lc-meadows-2022-09-30-00

Request Review of draft-ietf-dnsop-dnssec-bcp
Requested revision No specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2022-10-05
Requested 2022-09-21
Authors Paul E. Hoffman
I-D last updated 2022-09-30
Completed reviews Opsdir Last Call review of -03 by Gyan Mishra (diff)
Genart Last Call review of -03 by Linda Dunbar (diff)
Secdir Last Call review of -03 by Catherine Meadows (diff)
Dnsdir Telechat review of -05 by Nicolai Leymann (diff)
Intdir Telechat review of -05 by Sheng Jiang (diff)
Assignment Reviewer Catherine Meadows
State Completed
Request Last Call review on draft-ietf-dnsop-dnssec-bcp by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/7VcDZu2g66mQO9rBm4zAa-mYW-w
Reviewed revision 03 (document currently at 06)
Result Has nits
Completed 2022-09-30
review-ietf-dnsop-dnssec-bcp-03-secdir-lc-meadows-2022-09-30-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready with nits

This draft describes the various DNS security extensions, collectively known as
DNSSEC.  It gives a brief description of the DNSSEC documents, along with a
discussion of their importance and relevance.  The purpose of this draft
twofold.  One is it to make it easier for readers to learn about DNSSEC by
providing the a single source that identifies and describes the relevant
documents.  The other is to move DNSSEC to Best Current Practice Status.

I found the document well written, well organized, and informative.  The
documents are clearly ordered by category (Core, Core Additions, Additional
Cryptographic Algorithms, Extensions to DNNSEC, and Additional Documents of
Interest), and the reader is advised of their relevance.  That is, some RFCs
are of limited importance because the features they describe have not been
widely implemented.  It looks it could be very useful to someone starting to
learn about DNSSEC.

The Security Considerations section consists of the statement that the security
considerations from all of the RFCs referenced in this document applies here. 
I certainly agree with that.

I found one thing that could use improving:

The descriptions given in the additional documents of interest section all seem
to be quotations from the documents described.  In most cases this worked well,
but  I found the description of RFC4470 a little puzzling.  It says that the
RFC "describes how to construct DNSSEC NSEC resource records that cover a
smaller range of names than called for by [RFC4034]".

  All the other descriptions mentioned have to do with some security-relevant
  topic, but it is hard to see what the security relevance of this is without
  more information.  In this case, it might be helpful to include the next
  sentence, which is
“By generating and signing these records on demand, authoritative name servers
can effectively stop the disclosure of zone contents  otherwise made possible
by walking the chain of NSEC records in assigned zone.”

This is still a little opaque, but then at least the reader should understand 
that the reason this document is relevant is that it prevents an attacker from
learning all the names  in a zone.