Last Call Review of draft-ietf-dnsop-name-server-management-reqs-
review-ietf-dnsop-name-server-management-reqs-secdir-lc-nystrom-2010-11-13-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes requirements on management solutions for name servers.

I find this document easy to read and well organized, but have the
following security-related suggestions and questions:

- Section 3.2.2: When developing requirements for a new management
solution, why not require support for DNSSEC?
- Section 4.4: "Fine-grained" is not defined. I believe a management
solution for name servers always should provide an authorization
solution, and would suggest you change the initial sentence of this
requirement to say: "The solution MUST be capable of providing an
authorization model for any management protocols it introduces to the
completed system."
- Section 6 (Security Considerations): The first sentence is
essentially a tautology: "Any management protocol that meets the
criteria discussed in this document needs to support the criteria
discussed in Section 4 [in this document] ..." I suggest striking this
sentence as those criteria already are mandated anyway. Alternatively,
re-formulate to something like: "Any management protocol for which
conformance to this document is claimed needs to fully support the
criteria discussed in Section 4 ..."

-- Magnus