Early Review of draft-ietf-dnsop-svcb-dane-01
review-ietf-dnsop-svcb-dane-01-secdir-early-eastlake-2023-07-12-00
| Request | Review of | draft-ietf-dnsop-svcb-dane-01 |
|---|---|---|
| Requested revision | 01 (document currently at 03) | |
| Type | Early Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2023-07-12 | |
| Requested | 2023-06-23 | |
| Requested by | Tim Wicinski | |
| Authors | Benjamin M. Schwartz , Robert Evans | |
| I-D last updated | 2023-07-12 | |
| Completed reviews |
Dnsdir Early review of -01
by Patrick Mevzek
(diff)
Secdir Early review of -01 by Donald E. Eastlake 3rd (diff) |
|
| Assignment | Reviewer | Donald E. Eastlake 3rd |
| State | Completed | |
| Request | Early review on draft-ietf-dnsop-svcb-dane by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/q3RNK2e-XR-rG0F4OWlJG_NZpq0 | |
| Reviewed revision | 01 (document currently at 03) | |
| Result | Has nits | |
| Completed | 2023-07-12 |
review-ietf-dnsop-svcb-dane-01-secdir-early-eastlake-2023-07-12-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents. Document editors and WG chairs should
treat these comments just like any other comments.
The summary of the review is Ready with nits.
This document specifies the interaction of DANE (DNS-Based Authentication
of Named Entities) and DNS Service Bindings (SVCB). It also adds "_quic" to
the IANA Underscored and Globally Scoped DNS Node Names registry for use
with the TLSA Resource Record (RR).
This is an early review. The document appears to be adequate from a
security perspective. The heavy lifting occurs through the use of DNSSEC
and TLS/DTLS specified elsewhere. This document is mostly about how things
fit together and what various RRs would look like. It includes the TLV 1.3
RFC in the References section and should probably also include DNSSEC
references which should be referred to at an appropriate place in the text.
I provide some comments below, most of which are just wording suggestions.
First page headings: "Updates" should just have the RFC number "6698" not
"rfc6698" (See in the xml source where it says 'updates="rfc6698" '.)
Title: I suggest expanding a bit to something like the following, which
the RFC Editor may want you to do anyway:
"Using DNS Service Bindings (SVCB) with DNS-Based Authentication of
Named Entities (DANE)"
Abstract: I think it should mention "_quic". I suggest something like
DNS Service Binding (SVCB) resource records (RRs) add a new form of name
indirection to the DNS. This document specifies DNS-Based Authentication of
Named Entities (DANE) interaction with Service Bindings to secure
endpoints, including the use of ports and transports discovered via Service
Parameters. It also specifies the _quic underscored DNS node name to
designate the QUIC transport.
Section 1, last word of first paragraph: maybe "TLS" -> "TLS/DTLS".
This document would benefit from some additional terminology definitions in
Section 2 for such things as SvcParam and SNI. Perhaps there should be a
reference to the DNS terminology draft-ietf-dnsop-rfc8499bis-08.
Section 3, 2nd paragraph: "was entirely secure" -> "was entirely secured by
DNSSEC".
Section 5.2: Is "Accidental" the right word in the Section name? Would
"Erroneous" or some other word be better?
- It isn't clear from the text what a "third-party consumer" is. Maybe a
figure with boxes would help. "third-party" is hyphenated in one place but
not in another.
- In the last sentence, "take caution" sounds a little odd to me; suggest
either "take care" or "be cautious".
Section 6, first line: suggest "property" -> "part"
Section 8: Seems more polite to say "requested" rather than "instructed".
Thanks,
Donald
===============================
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
2386 Panoramic Circle, Apopka, FL 32703 USA
d3e3e3@gmail.com