Last Call Review of draft-ietf-dnssd-hybrid-07
review-ietf-dnssd-hybrid-07-opsdir-lc-jaeggli-2017-10-22-00

Request Review of draft-ietf-dnssd-hybrid-07
Requested rev. 07
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2017-10-11
Requested 2017-09-27
Requested by Terry Manderson
Other Reviews Genart Last Call review of -07 by Joel Halpern
Secdir Last Call review of -07 by Dan Harkins
Comments
Please review this document especially in light of DNS semantics, DNS operation, and implications (if any) in IoT.
Review State Completed
Reviewer Joel Jaeggli
Review review-ietf-dnssd-hybrid-07-opsdir-lc-jaeggli-2017-10-22
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/hdmaEG165ElpYh-QbcbW1Q-lkzo
Reviewed rev. 07
Review result Has Nits
Draft last updated 2017-10-22
Review closed: 2017-10-22

Review
review-ietf-dnssd-hybrid-07-opsdir-lc-jaeggli-2017-10-22

I reviewed this draft draft-ietf-dnssd-hybrid-07 on behalf of the operations and management area directorate. 

While the security considerations do address the problem of  information leakage from publishing information in DNS zones that may be resolvable from outside the administrative zone that they are intended to be used in, I think the reverse zone and in particular the IPv4 reverse zone are particularly subject to this problem. if the nameservers serving the reverse zone are those to which the public ipv4 prefix is delegated then is is possible to walk the zone, trolling for hosts that may not otherwise be easy to identify (because you do not know apriori what services they might be advertising).  This might identify particular hosts, but it also might be used to identify subnets  in which  dynamic allocation occur or where hosts come and go. I think it would be desirable to provide explanatory texts on the potential dangers of exposing the reverse zones in particular.