Skip to main content

Last Call Review of draft-ietf-ipsecme-split-dns-12
review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30-00

Request Review of draft-ietf-ipsecme-split-dns
Requested revision No specific revision (document currently at 17)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2018-08-24
Requested 2018-08-10
Authors Tommy Pauly , Paul Wouters
Draft last updated 2018-08-30
Completed reviews Opsdir Telechat review of -16 by Tim Chown (diff)
Secdir Last Call review of -12 by Stefan Santesson (diff)
Genart Last Call review of -12 by Christer Holmberg (diff)
Opsdir Last Call review of -12 by Tim Chown (diff)
Assignment Reviewer Tim Chown
State Completed
Review review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30
Reviewed revision 12 (document currently at 17)
Result Has Issues
Completed 2018-08-30
review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30-00
Hi,

I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational aspects of
the IETF drafts. Comments that are not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs should
treat these comments just like any other last call comments.

The document is well-written and clear to follow, and addresses an existing
problem.  Overall, the document is close to being ready for publication.

I have a couple of clarification questions, and a couple of minor nits.

Firstly, I am a little confused by the apparent discrepancy in Sections 1
(Introduction) and 5 (INTERNAL_DNS_DOMAIN Configuration Guidelines).

In Section 1, paragraph 3 it says:

" The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more
   DNS domains that SHOULD be resolved only using the provided DNS
   nameserver IP addresses, causing these requests to use the IPsec
   connection."

But in Section 5 it says:

"For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not
   prohibited by local policy, the client MUST use the provided
   INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only
   resolvers for the listed domains and its sub-domains and it MUST NOT
   attempt to resolve the provided DNS domains using its external DNS
   servers. "

So is it a SHOULD or a MUST, or is there a contextual difference I've
overlooked here?

Secondly, should the case of a client in a dual-stack environment only getting
an INTERNAL_IP4_DNS in the response be explicitly mentioned, in that in such
cases presumably the client should then not do any DNS resolution over IPv6
transport to any other IPv6-enabled resolvers it has learnt?  There are various
related issues discussed in RFC 7359.

First nit:

In Section 3.4.1 perhaps it would be better to move the explanation
paragraph(s) to after the example, to improve the flow of the text.  Similarly
in 3.4.2, move the explanation after the example configuration.

Second nit:

Is the Background section needed given the Introduction?   The Background text
would for example be a good start to the Introduction section.