Last Call Review of draft-ietf-drip-auth-43
review-ietf-drip-auth-43-dnsdir-lc-ma-2024-01-08-00
| Request | Review of | draft-ietf-drip-auth |
|---|---|---|
| Requested revision | No specific revision (document currently at 49) | |
| Type | Last Call Review | |
| Team | DNS Directorate (dnsdir) | |
| Deadline | 2024-01-09 | |
| Requested | 2023-12-19 | |
| Authors | Adam Wiethuechter , Stuart W. Card , Robert Moskowitz | |
| I-D last updated | 2024-01-08 | |
| Completed reviews |
Tsvart Last Call review of -43
by Gorry Fairhurst
(diff)
Dnsdir Last Call review of -43 by Di Ma (diff) Dnsdir Telechat review of -46 by Di Ma (diff) Iotdir Telechat review of -45 by Behcet Sarikaya (diff) Intdir Telechat review of -46 by Carlos J. Bernardos (diff) Secdir Early review of -05 by Rich Salz (diff) Genart Early review of -24 by Matt Joras (diff) |
|
| Assignment | Reviewer | Di Ma |
| State | Completed | |
| Request | Last Call review on draft-ietf-drip-auth by DNS Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/dnsdir/6J52qDWU73irwIOOvAX4MA3yu9A | |
| Reviewed revision | 43 (document currently at 49) | |
| Result | Almost ready | |
| Completed | 2024-01-08 |
review-ietf-drip-auth-43-dnsdir-lc-ma-2024-01-08-00
I think this document is almost ready except for some specifications regarding the DNS. In section 3.1.1., "An Observer SHOULD query DNS for the UA's HI. If not available it may have been revoked. Note that accurate revocation status is a DIME inquiry; DNS non-response is a hint that a DET is expired or revoked. It MAY be retrieved from a local cache, if present. The local cache is typically populated by DNS lookups and/or by received Broadcast Endorsements (Section 3.1.2)." By comprehending RFC9374 and RFC9434, I think it would bring about new operational considerations to leverage current DNS to meet the need of naming in the context of UAS, especially due to DET the new DNS RR proposed by draft-ietf-drip-registries-14. It is therein inevitable to handle some anomalies of DNS queries triggered by DRIP-based Authentication. The current text here is not adequate for the consistency among different implementations. If the authors consider this issue could be left to private implementation, it should be explicitly stated here. Otherwise,I suggest authors consider adding extra content regarding DNS rcode extension. On the whole, I think authors should refer to which kind of DNS specification/RFCs normatively used by DRIP since the DNS is key to the DRIP architecture, given that DNS is evolving to DoH and DSO and so on.