Skip to main content

Last Call Review of draft-ietf-dnsop-rfc6304bis-03

Request Review of draft-ietf-dnsop-rfc6304bis
Requested revision No specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-08-19
Requested 2014-07-17
Authors Joe Abley , William F. Maton
I-D last updated 2014-08-15
Completed reviews Genart Last Call review of -03 by Tom Taylor (diff)
Genart Telechat review of -04 by Tom Taylor (diff)
Secdir Last Call review of -03 by Brian Weis (diff)
Opsdir Telechat review of -04 by Scott O. Bradner (diff)
Assignment Reviewer Brian Weis
State Completed
Request Last Call review on draft-ietf-dnsop-rfc6304bis by Security Area Directorate Assigned
Reviewed revision 03 (document currently at 06)
Result Ready
Completed 2014-08-15
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call

This document replaces RFC 6304, which describes AS112 Nameserver operations.
AS112 nameservers are responsible for answering DNS reverse lookup to
private-use queries that somehow leaked out of private network into the
Internet. RFC 6304 described the operations for these DNS name servers handling
these queries. The main contribution of the present document is support for a
new DNAME redirection zone defined in draft-ietf-dnsop-as112-dname-03,
including adding it to the sample BIND9 configurations. It also updates the
BIND9 configurations to support IPv6, and includes a number of new IANA actions.

Although I have a limited DNS background, the advice in this document appears
to be conservative such that attacks on or using AS112 name servers are
mitigated as much as possible in the absence of DNSSEC.

The security considerations section ends with a statement that DNSSEC is
unlikely to be effective for AS112 name servers and I believe the rationale is
accurate. Any entity wishing to provide an AS112 name server to provide a
service of replying to private-use queries is encouraged to do so. Because
AS112 name servers are announced via anycast, all AS112 name servers would be
required to use a single public key. This indicates that the corresponding
private key would need to be widely available, which rather defeats its purpose.