Early Review of draft-ietf-dnsop-structured-dns-error-03
review-ietf-dnsop-structured-dns-error-03-dnsdir-early-ma-2023-06-25-01
Request | Review of | draft-ietf-dnsop-structured-dns-error |
---|---|---|
Requested revision | No specific revision (document currently at 09) | |
Type | Early Review | |
Team | DNS Directorate (dnsdir) | |
Deadline | 2023-06-30 | |
Requested | 2023-05-30 | |
Requested by | Tim Wicinski | |
Authors | Dan Wing , Tirumaleswar Reddy.K , Neil Cook , Mohamed Boucadair | |
I-D last updated | 2023-06-27 | |
Completed reviews |
Dnsdir Early review of -03
by Matt Brown
(diff)
Dnsdir Early review of -03 by Di Ma (diff) Secdir Early review of -03 by Joseph A. Salowey (diff) |
|
Assignment | Reviewer | Di Ma |
State | Completed | |
Request | Early review on draft-ietf-dnsop-structured-dns-error by DNS Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/dnsdir/gZDKB6PYWHbA6-e33xnZnQ9SarA | |
Reviewed revision | 03 (document currently at 09) | |
Result | Ready | |
Completed | 2023-06-27 |
review-ietf-dnsop-structured-dns-error-03-dnsdir-early-ma-2023-06-25-01
Hi, Med, All the clarifications and updates you have made to this draft are fine by me. Di > 2023年6月27日 14:23,mohamed.boucadair--- via dnsdir <dnsdir@ietf.org> 写道: > > Hi Di, > > Thanks for the review. > > Please see inline. > > Cheers, > Med > >> -----Message d'origine----- >> De : Di Ma via Datatracker <noreply@ietf.org> >> Envoyé : lundi 26 juin 2023 07:59 >> À : dnsdir@ietf.org >> Cc : dnsop@ietf.org; draft-ietf-dnsop-structured-dns- >> error.all@ietf.org >> Objet : Dnsdir early review of draft-ietf-dnsop-structured-dns- >> error-03 >> >> Reviewer: Di Ma >> Review result: Ready with Nits >> >> Generally speaking, I think the extension to DNS proposed by this >> document will not affect DNS operations adversely since it is >> common and mature to extend >> EDNS0 to carry DNS signaling information as far as I observed. >> >> I have got several technical comments for the authors to consider: >> >> As stated in section 5.2 “If EDE support is signaled in the query >> the server MUST NOT return the "Forged Answer" extended error >> code...”, is “Forged Answer” the only code that is not allowed? > > [Med] It is the only one to report that filtering happened but still an answer is being provided. > > Note that the candidate list of codes is called out in: > > For the DNS filtering mechanisms described in Section 3 the DNS > server can return extended error codes Blocked, Filtered, or Forged > Answer defined in Section 4 of [RFC8914]. However, these codes only > explain that filtering occurred but lack detail for the user to > diagnose erroneous filterings. > >> suggest authors articulate the rule not just an instance, in order >> to facilitate the consistency among different implementations. >> >> As in section 5.3, “On receipt of a DNS response with an EDE >> option from a DNS responder, the following actions are performed >> on the EXTRA-TEXT field”, are all those “actions” ordered or >> unordered? I think it needs to be specified. >> > > [Med] The actions are not provided in the execution order: clarified in https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/pull/32/files. > >> In section 6, RPZ is not standardized by IETF. I suggest removing >> “Interoperation with RPZ Servers” or moving it to appendix since >> this draft is intended to be a standards track RFC. >> > > [Med] This is fair. Please see the PR at https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/pull/31/files. > >> And I also have some editorial comments: >> > > [Med] All good points. Please see the PR at https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/pull/30/files. > >> In section 4, “The contact details of the IT/InfoSec team to >> report mis-classified DNS filtering. This field is structured as >> an array of contact URIs (e.g., tel, sips, https). At least one >> contact URI MUST be included. This field is mandatory.” It is >> necessary to reference RFCs to “tel, sips, https”. >> >> In section 5.3, there is an in-paragraph long space breaking “If a >> DNS client has enabled opportunistic privacy profile (Section 5 of >> [RFC8310]) for DoT, the DNS client will either fall back to an...” >> ...and “encrypted connection without authenticating the DNS >> server...”. >> >> In section 5.3, the first action is described as “Verify the field >> contains valid JSON.” which is the only segment using a verb to >> describe the very action. I think it would be better to align all >> the action description wording. >> >> > > ____________________________________________________________________________________________________________ > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > -- > dnsdir mailing list > dnsdir@ietf.org > https://www.ietf.org/mailman/listinfo/dnsdir