Last Call Review of draft-ietf-dnsop-rfc6304bis-03
review-ietf-dnsop-rfc6304bis-03-secdir-lc-weis-2014-08-15-00
Request | Review of | draft-ietf-dnsop-rfc6304bis |
---|---|---|
Requested revision | No specific revision (document currently at 06) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2014-08-19 | |
Requested | 2014-07-17 | |
Authors | Joe Abley , William F. Maton | |
I-D last updated | 2014-08-15 | |
Completed reviews |
Genart Last Call review of -03
by Tom Taylor
(diff)
Genart Telechat review of -04 by Tom Taylor (diff) Secdir Last Call review of -03 by Brian Weis (diff) Opsdir Telechat review of -04 by Scott O. Bradner (diff) |
|
Assignment | Reviewer | Brian Weis |
State | Completed | |
Request | Last Call review on draft-ietf-dnsop-rfc6304bis by Security Area Directorate Assigned | |
Reviewed revision | 03 (document currently at 06) | |
Result | Ready | |
Completed | 2014-08-15 |
review-ietf-dnsop-rfc6304bis-03-secdir-lc-weis-2014-08-15-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document replaces RFC 6304, which describes AS112 Nameserver operations. AS112 nameservers are responsible for answering DNS reverse lookup to private-use queries that somehow leaked out of private network into the Internet. RFC 6304 described the operations for these DNS name servers handling these queries. The main contribution of the present document is support for a new DNAME redirection zone defined in draft-ietf-dnsop-as112-dname-03, including adding it to the sample BIND9 configurations. It also updates the BIND9 configurations to support IPv6, and includes a number of new IANA actions. Although I have a limited DNS background, the advice in this document appears to be conservative such that attacks on or using AS112 name servers are mitigated as much as possible in the absence of DNSSEC. The security considerations section ends with a statement that DNSSEC is unlikely to be effective for AS112 name servers and I believe the rationale is accurate. Any entity wishing to provide an AS112 name server to provide a service of replying to private-use queries is encouraged to do so. Because AS112 name servers are announced via anycast, all AS112 name servers would be required to use a single public key. This indicates that the corresponding private key would need to be widely available, which rather defeats its purpose. Brian