Skip to main content

Last Call Review of draft-ietf-dnsop-zoneversion-06
review-ietf-dnsop-zoneversion-06-secdir-lc-emery-2024-06-05-00

Request Review of draft-ietf-dnsop-zoneversion
Requested revision No specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-06-11
Requested 2024-05-28
Authors Hugo Salgado , Mauricio Vergara Ereche , Duane Wessels
I-D last updated 2024-06-05
Completed reviews Dnsdir Last Call review of -08 by Nicolai Leymann (diff)
Secdir Last Call review of -06 by Shawn M Emery (diff)
Opsdir Last Call review of -06 by Dan Romascanu (diff)
Artart Last Call review of -07 by John R. Levine (diff)
Dnsdir Last Call review of -02 by Nicolai Leymann (diff)
Dnsdir Last Call review of -09 by Nicolai Leymann (diff)
Dnsdir Last Call review of -10 by Nicolai Leymann (diff)
Assignment Reviewer Shawn M Emery
State Completed
Request Last Call review on draft-ietf-dnsop-zoneversion by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/5CcCfrDwrmQOqmoWw3-uddYTB40
Reviewed revision 06 (document currently at 11)
Result Has nits
Completed 2024-06-05
review-ietf-dnsop-zoneversion-06-secdir-lc-emery-2024-06-05-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This draft specifies an extension in DNS for providing zone version information
for the associated query name.  This data allows callers to better correlate
the queried name to a zone version that it belongs, in order to better diagnose
synchronicity issues.

The security considerations section does exist and describes that this EDNS
extension does not protect against an active attacker and therefore should only
be used for diagnostic purposes only.  The section continues, if zone version
information is to protected against an active attacker then the user should use
TSIG (RFC 8945) or SIG(0) (RFC 2931) to authenticate and provide integrity
protection.  In addition, there are no new privacy issues introduced by the new
extension given that version information is already provided publicly.  I agree
with the aforementioned assertions.

General Comments:

What's an unsigned decimal integer vs. unsigned integer?

Editorials Comments:

s/and and/and/
s/correspond do/correspond to the/