Last Call Review of draft-ietf-dnsop-edns-key-tag-03

Request Review of draft-ietf-dnsop-edns-key-tag
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-01-16
Requested 2017-01-02
Authors Duane Wessels, Warren Kumari, Paul Hoffman
Draft last updated 2017-01-12
Completed reviews Opsdir Telechat review of -04 by Mahesh Jethanandani (diff)
Genart Last Call review of -03 by Christer Holmberg (diff)
Secdir Last Call review of -03 by Scott Kelly (diff)
Genart Telechat review of -04 by Christer Holmberg (diff)
Assignment Reviewer Scott Kelly 
State Completed
Review review-ietf-dnsop-edns-key-tag-03-secdir-lc-kelly-2017-01-12
Reviewed rev. 03 (document currently at 05)
Review result Ready
Review completed: 2017-01-12


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: this draft is ready.

From the introduction, 

   This draft sets out to specify a way for validating resolvers to tell
   a server in a DNS query which DNSSEC key(s) they would use to
   validate responses from that zone.  This is done in two ways: using
   an EDNS option for use in the OPT meta-RR [RFC6891] that contains the
   key tags (described in Section 4), and by periodically sending
   special "key tag queries" to a server authoritative for the zone
   (described in Section 5).

That pretty well sums it up. The security and privacy considerations sections cover all relevant issues. I see no problems with this document.

Minor editorial comment: section 5.3 ends with this bracketed comment:

 [ Note RFC1035 says NULL
   RRs are not allowed in master files, but I believe that to be
   incorrect ]

I assume this will be resolved prior to publication?