Last Call Review of draft-ietf-dnsop-rfc6304bis-03
review-ietf-dnsop-rfc6304bis-03-secdir-lc-weis-2014-08-15-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This document replaces RFC 6304, which describes AS112 Nameserver operations.
AS112 nameservers are responsible for answering DNS reverse lookup to
private-use queries that somehow leaked out of private network into the
Internet. RFC 6304 described the operations for these DNS name servers handling
these queries. The main contribution of the present document is support for a
new DNAME redirection zone defined in draft-ietf-dnsop-as112-dname-03,
including adding it to the sample BIND9 configurations. It also updates the
BIND9 configurations to support IPv6, and includes a number of new IANA actions.

Although I have a limited DNS background, the advice in this document appears
to be conservative such that attacks on or using AS112 name servers are
mitigated as much as possible in the absence of DNSSEC.

The security considerations section ends with a statement that DNSSEC is
unlikely to be effective for AS112 name servers and I believe the rationale is
accurate. Any entity wishing to provide an AS112 name server to provide a
service of replying to private-use queries is encouraged to do so. Because
AS112 name servers are announced via anycast, all AS112 name servers would be
required to use a single public key. This indicates that the corresponding
private key would need to be widely available, which rather defeats its purpose.

Brian