Skip to main content

Last Call Review of draft-ietf-uta-rfc6125bis-12

Request Review of draft-ietf-uta-rfc6125bis
Requested revision No specific revision (document currently at 15)
Type Last Call Review
Team DNS Directorate (dnsdir)
Deadline 2023-07-03
Requested 2023-06-19
Authors Peter Saint-Andre , Rich Salz
I-D last updated 2023-06-21
Completed reviews Dnsdir Telechat review of -15 by Petr Špaček
Dnsdir Last Call review of -12 by Petr Špaček (diff)
Tsvart Last Call review of -12 by Dr. Joseph D. Touch (diff)
Genart Last Call review of -12 by Ines Robles (diff)
Dnsdir Last Call review of -12 by Petr Špaček (diff)
Dnsdir Last Call review of -14 by Petr Špaček (diff)
Secdir Early review of -08 by Derrell Piper (diff)
Opsdir Early review of -08 by Qin Wu (diff)
Assignment Reviewer Petr Špaček
State Completed
Request Last Call review on draft-ietf-uta-rfc6125bis by DNS Directorate Assigned
Posted at
Reviewed revision 12 (document currently at 15)
Result Ready w/nits
Completed 2023-06-21
Reviewer: Petr Špaček
Review result: Ready with Nits


I was assigned as the dnsdir reviewer for draft-ietf-uta-rfc6125bis-13.

For more information about the DNS Directorate, please see

It seems that couple fixes for nits pointed out and agreed to (I believe) in
the previous round of review did not make it into the -13 version.

First, one new typo:
Search for "can is", it should be just "is". Context: "IPv4 address can is a
valid DNS name.".

Three not-yet-fixed nits which I believe we agreed to fix in our previous
e-mail exchange follow:

>   6.3. Matching the DNS Domain Name Portion
> 1.   There is only one wildcard character.
> 2.   The wildcard character appears only as the complete content of the
left-most label. > If the requirements are not met, the presented identifier is
invalid and MUST be ignored. A wildcard in a presented identifier can only
match exactly one label in a reference identifier. This specification covers
only wildcard characters in presented identifiers, not wildcard characters in
reference identifiers or in DNS domain names more generally. Therefore the use
of wildcard characters as described herein is not to be confused with DNS
wildcard matching, where the "*" label always matches at least one whole label
and sometimes more; see [DNS-CONCEPTS], Section 4.3.3 and [DNS-WILDCARDS]. For
information regarding the security characteristics of wildcard certificates,
see Section 7.1.

I recommend adding an explicit statement that rules given here
_also_ intentionally deviate from RFC 4592 section 2.1.3.

Reasoning: It explicitly mentions deviation from 4.3.3 but a causal reader
might be confused by preceding 2.1.3.

>   6.4. Matching an IP Address Portion
> This document does not specify how an SRV-ID reference identity can include
an IP address.

I think SRV-ID clearly says it's just DNS name, so the presented identifier
cannot match an IP address. I think this section should clearly say that IP
addresses cannot match SRV-ID.

> 7.4. IP Addresses

Maybe add a reference to section 3. Designing Application Protocols where this
is discussed (in the last paragraph)?

All the rest was addressed in -13.

Thank you!
Petr Špaček