Skip to main content

Last Call Review of draft-ietf-dprive-dnsodtls-12

Request Review of draft-ietf-dprive-dnsodtls
Requested revision No specific revision (document currently at 15)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2016-11-16
Requested 2016-11-03
Authors Tirumaleswar Reddy.K , Dan Wing , Prashanth Patil
I-D last updated 2016-12-12
Completed reviews Genart Last Call review of -12 by Jouni Korhonen (diff)
Opsdir Last Call review of -12 by Éric Vyncke (diff)
Genart Telechat review of -13 by Jouni Korhonen (diff)
Assignment Reviewer Éric Vyncke
State Completed
Request Last Call review on draft-ietf-dprive-dnsodtls by Ops Directorate Assigned
Reviewed revision 12 (document currently at 15)
Result Ready
Completed 2016-12-12
I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational aspects of
the IETF drafts. Comments that are not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs should
treat these comments  just like any other last call comments.

Status of the document: good to go from the operational point of view.

This experimental I-D specifies DNS over DTLS mainly to ensure privacy of the
information on the path. It complements RFC 7858 (DNS over TLS) with the
lightweight nature of UDP.

The document is clearly marked experimental and takes care of the co-existence
of 'normal' DNS server by probing on a different port before the DTLS session
(and will retry at a slow rate). The DTLS negotiation is only done once between
the DNS client and its resolving/recursive DNS server (so the overhead is not
that important on the long term). DNS over DTLS is only done between clients
and servers supporting this protocol, it does not impact existing/legacy DNS
clients and servers.

The DNS operator still sees the DNS requests so it can still do analytics. The
only case when this protocol hides information from a ISP is when the server is
not operated by the ISP, then ISP is then blinded (but using a VPN will have
the same effect).