Last Call Review of draft-ietf-dnsop-rfc8109bis-05
review-ietf-dnsop-rfc8109bis-05-dnsdir-lc-ma-2024-07-16-00

Request Review of draft-ietf-dnsop-rfc8109bis
Requested revision No specific revision (document currently at 07)
Type IETF Last Call Review
Team DNS Directorate (dnsdir)
Deadline 2024-07-29
Requested 2024-07-08
Authors Peter Koch , Matt Larson , Paul E. Hoffman
I-D last updated 2025-02-11 (Latest revision 2024-08-27)
Completed reviews Dnsdir Early review of -00 by Di Ma (diff)
Genart IETF Last Call review of -05 by Dale R. Worley (diff)
Dnsdir IETF Last Call review of -05 by Di Ma (diff)
Opsdir IETF Last Call review of -05 by Joe Clarke (diff)
Secdir IETF Last Call review of -05 by Mališa Vučinić (diff)
Dnsdir Telechat review of -06 by Patrick Mevzek (diff)
Intdir Telechat review of -06 by Dirk Von Hugo (diff)
Opsdir Telechat review of -06 by Joe Clarke (diff)
Assignment Reviewer Di Ma
State Completed
Request IETF Last Call review on draft-ietf-dnsop-rfc8109bis by DNS Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/dnsdir/2TYbaIDne342FbrWCy6IFgvibCQ
Reviewed revision 05 (document currently at 07)
Result Ready w/issues
Completed 2024-07-16
review-ietf-dnsop-rfc8109bis-05-dnsdir-lc-ma-2024-07-16-00
This version adds more discussions about DNSSEC to priming exchange, which I
think need clearer statements.

In this document, the authors say “With such resolvers, an attacker that
controls a rogue root server effectively controls the entire domain name space
and can view all queries and alter all unsigned data undetected.”

However, this is not true when a DNSSEC-aware resolver has been configured with
one or more Trust Anchors from some TLDs. In such case, it is not safe to say
"an attacker that controls a rogue root server effectively controls the entire
domain name space".