Last Call Review of draft-ietf-dnsop-dnssec-roadblock-avoidance-04
review-ietf-dnsop-dnssec-roadblock-avoidance-04-opsdir-lc-vyncke-2016-07-11-00
Request | Review of | draft-ietf-dnsop-dnssec-roadblock-avoidance |
---|---|---|
Requested revision | No specific revision (document currently at 05) | |
Type | Last Call Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2016-07-05 | |
Requested | 2016-06-13 | |
Authors | Wes Hardaker , Ólafur Guðmundsson , Suresh Krishnaswamy | |
I-D last updated | 2016-07-11 | |
Completed reviews |
Opsdir Last Call review of -04
by Éric Vyncke
(diff)
|
|
Assignment | Reviewer | Éric Vyncke |
State | Completed | |
Request | Last Call review on draft-ietf-dnsop-dnssec-roadblock-avoidance by Ops Directorate Assigned | |
Reviewed revision | 04 (document currently at 05) | |
Result | Has issues | |
Completed | 2016-07-11 |
review-ietf-dnsop-dnssec-roadblock-avoidance-04-opsdir-lc-vyncke-2016-07-11-00
Hi, I have reviewed draft-ietf-dnsop-dnssec-roadblock-avoidance-04 as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. From the abstract: This document describes problems that a DNSSEC aware resolver/ application might run into within a non-compliant infrastructure. It outline (SIC) potential detection and mitigation techniques. It provides a way for DNSSEC validator to check whether DNSSEC is not blocked on the path. Based on my operational experience, I have seen multiple DNSSEC packets dropped by firewalls because they try to use EDNS0 rather than fragmenting. Does your I-D also address this issue? I am a little puzzled by the hand waving "we also assume that the path is clear of "DNS interfering" crap-ware/middle-boxes, like stupid firewalls, proxies, forwarders." (I would avoid the use of "stupid") This restriction does not appear as realistic to me in the current deployment. In the wave of IPv6 deployment and IPv4 sunset, I would suggest that examples (such as in 3.1.1) uses AAAA RR and not A. It is a little unclear to me WHEN the host should run those test? At boot time? At every network attach? When it resumes operation after a sleep period? Or a periodic test (such as hourly) ? This could cause a scalability problem in vast WiFi deployment. I am also a little puzzled by another hand waving "The goal of this document is to tie the above tests and aggregations to avoidance practices; however the document does not specify exactly how to do that." and later "Else return an useful error code" which will make interoperation (API portability) complex. With a little improvement for some unclear (to me) text, this document could be useful. Especially if either the mitigation part is improved or removed completely. I hope the above will help to improve a very useful document -éric