Last Call Review of draft-ietf-dnsop-nxdomain-cut-03

Request Review of draft-ietf-dnsop-nxdomain-cut
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-07-29
Requested 2016-07-21
Authors Stéphane Bortzmeyer, Shumon Huque
Draft last updated 2016-07-28
Completed reviews Genart Last Call review of -03 by Meral Shirazipour (diff)
Genart Telechat review of -04 by Meral Shirazipour (diff)
Secdir Last Call review of -03 by Adam Montville (diff)
Opsdir Last Call review of -03 by Sheng Jiang (diff)
Assignment Reviewer Adam Montville
State Completed
Review review-ietf-dnsop-nxdomain-cut-03-secdir-lc-montville-2016-07-28
Reviewed rev. 03 (document currently at 05)
Review result Ready
Review completed: 2016-07-28


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document is: Ready

This document explains the reasoning behind, and advantages of, NXDOMAIN cut—a method of ensuring that non-existence of a node in the domain name tree implies non-existence of the entire sub-tree.  The solution does seem to require DNSSEC, as mentioned in the security considerations section, to avoid certain DOS circumstances (which are already possible, but potentially amplified by NXDOMAIN cut).




 Message signed with OpenPGP using GPGMail