Last Call Review of draft-ietf-ipsecme-split-dns-12
review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30-00
| Request | Review of | draft-ietf-ipsecme-split-dns |
|---|---|---|
| Requested revision | No specific revision (document currently at 17) | |
| Type | Last Call Review | |
| Team | Ops Directorate (opsdir) | |
| Deadline | 2018-08-24 | |
| Requested | 2018-08-10 | |
| Authors | Tommy Pauly , Paul Wouters | |
| I-D last updated | 2018-08-30 | |
| Completed reviews |
Opsdir Telechat review of -16
by Tim Chown
(diff)
Secdir Last Call review of -12 by Stefan Santesson (diff) Genart Last Call review of -12 by Christer Holmberg (diff) Opsdir Last Call review of -12 by Tim Chown (diff) |
|
| Assignment | Reviewer | Tim Chown |
| State | Completed | |
| Request | Last Call review on draft-ietf-ipsecme-split-dns by Ops Directorate Assigned | |
| Reviewed revision | 12 (document currently at 17) | |
| Result | Has issues | |
| Completed | 2018-08-30 |
review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30-00
Hi, I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. The document is well-written and clear to follow, and addresses an existing problem. Overall, the document is close to being ready for publication. I have a couple of clarification questions, and a couple of minor nits. Firstly, I am a little confused by the apparent discrepancy in Sections 1 (Introduction) and 5 (INTERNAL_DNS_DOMAIN Configuration Guidelines). In Section 1, paragraph 3 it says: " The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more DNS domains that SHOULD be resolved only using the provided DNS nameserver IP addresses, causing these requests to use the IPsec connection." But in Section 5 it says: "For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not prohibited by local policy, the client MUST use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only resolvers for the listed domains and its sub-domains and it MUST NOT attempt to resolve the provided DNS domains using its external DNS servers. " So is it a SHOULD or a MUST, or is there a contextual difference I've overlooked here? Secondly, should the case of a client in a dual-stack environment only getting an INTERNAL_IP4_DNS in the response be explicitly mentioned, in that in such cases presumably the client should then not do any DNS resolution over IPv6 transport to any other IPv6-enabled resolvers it has learnt? There are various related issues discussed in RFC 7359. First nit: In Section 3.4.1 perhaps it would be better to move the explanation paragraph(s) to after the example, to improve the flow of the text. Similarly in 3.4.2, move the explanation after the example configuration. Second nit: Is the Background section needed given the Introduction? The Background text would for example be a good start to the Introduction section.