Skip to main content

Last Call Review of draft-ietf-dnsop-nxdomain-cut-03

Request Review of draft-ietf-dnsop-nxdomain-cut
Requested revision No specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-07-29
Requested 2016-07-21
Authors Stéphane Bortzmeyer , Shumon Huque
I-D last updated 2016-07-28
Completed reviews Genart Last Call review of -03 by Meral Shirazipour (diff)
Genart Telechat review of -04 by Meral Shirazipour (diff)
Secdir Last Call review of -03 by Adam W. Montville (diff)
Opsdir Last Call review of -03 by Sheng Jiang (diff)
Assignment Reviewer Adam W. Montville
State Completed
Request Last Call review on draft-ietf-dnsop-nxdomain-cut by Security Area Directorate Assigned
Reviewed revision 03 (document currently at 05)
Result Ready
Completed 2016-07-28
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call

This document is: Ready

This document explains the reasoning behind, and advantages of, NXDOMAIN cut—a
method of ensuring that non-existence of a node in the domain name tree implies
non-existence of the entire sub-tree.  The solution does seem to require
DNSSEC, as mentioned in the security considerations section, to avoid certain
DOS circumstances (which are already possible, but potentially amplified by




 Message signed with OpenPGP using GPGMail