Last Call Review of draft-ietf-dnsop-extended-error-14
review-ietf-dnsop-extended-error-14-secdir-lc-meadows-2020-03-31-00
| Request | Review of | draft-ietf-dnsop-extended-error |
|---|---|---|
| Requested revision | No specific revision (document currently at 16) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2020-04-02 | |
| Requested | 2020-03-12 | |
| Authors | Warren "Ace" Kumari , Evan Hunt , Roy Arends , Wes Hardaker , David C Lawrence | |
| I-D last updated | 2020-03-31 | |
| Completed reviews |
Secdir Last Call review of -14
by Catherine Meadows
(diff)
Genart Last Call review of -14 by Joel M. Halpern (diff) Opsdir Last Call review of -14 by Scott O. Bradner (diff) |
|
| Assignment | Reviewer | Catherine Meadows |
| State | Completed | |
| Request | Last Call review on draft-ietf-dnsop-extended-error by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/TOH5k61BzO1C1GxO3nTGGQF0ops | |
| Reviewed revision | 14 (document currently at 16) | |
| Result | Has issues | |
| Completed | 2020-03-31 |
review-ietf-dnsop-extended-error-14-secdir-lc-meadows-2020-03-31-00
This ID defines an extensible method to return information about the cause of DNS errors. It extends both the type of response that can contain error messages and the type of messages that can be returned, and includes mechanisms that can be used to add more as needed. The Security Considerations section mentions some valid points, but it is not made clear how they apply to extended DNS error messages (as opposed to DNS error messages in general). It first makes the non-obvious point that a significant number of clients, when receiving a failure message about a DNS validation issue from a validated resolver, will seek out an unvalidated server instead. It is not clear to me though whether you think that extending the types of DNS error messages available (thus giving more information to the client) would help address this problem. You should say something about this. Secondly, it discusses the security implications of the fact that DNS error messages are unauthenticated. In addition, in the paragraph about the security implications of DNS error messages being unauthenticated, you should say whether or not extending the types of DNS error messages would improve the situation, make it worse, have no effect, or is unclear.