Last Call Review of draft-ietf-ipsecme-split-dns-12
review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30-00

Request Review of draft-ietf-ipsecme-split-dns
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2018-08-24
Requested 2018-08-10
Other Reviews Secdir Last Call review of -12 by Stefan Santesson (diff)
Genart Last Call review of -12 by Christer Holmberg (diff)
Review State Completed
Reviewer Tim Chown
Review review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/-IFRi1CgG6OziNDSsH68YVcTYvc
Reviewed rev. 12 (document currently at 14)
Review result Has Issues
Draft last updated 2018-08-30
Review completed: 2018-08-30

Review
review-ietf-ipsecme-split-dns-12-opsdir-lc-chown-2018-08-30

Hi,

I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

The document is well-written and clear to follow, and addresses an existing problem.  Overall, the document is close to being ready for publication.

I have a couple of clarification questions, and a couple of minor nits.

Firstly, I am a little confused by the apparent discrepancy in Sections 1 (Introduction) and 5 (INTERNAL_DNS_DOMAIN Configuration Guidelines).  

In Section 1, paragraph 3 it says:

" The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more
   DNS domains that SHOULD be resolved only using the provided DNS
   nameserver IP addresses, causing these requests to use the IPsec
   connection."

But in Section 5 it says:

"For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not
   prohibited by local policy, the client MUST use the provided
   INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only
   resolvers for the listed domains and its sub-domains and it MUST NOT
   attempt to resolve the provided DNS domains using its external DNS
   servers. "

So is it a SHOULD or a MUST, or is there a contextual difference I've overlooked here?

Secondly, should the case of a client in a dual-stack environment only getting an INTERNAL_IP4_DNS in the response be explicitly mentioned, in that in such cases presumably the client should then not do any DNS resolution over IPv6 transport to any other IPv6-enabled resolvers it has learnt?  There are various related issues discussed in RFC 7359.

First nit:

In Section 3.4.1 perhaps it would be better to move the explanation paragraph(s) to after the example, to improve the flow of the text.  Similarly in 3.4.2, move the explanation after the example configuration.

Second nit:

Is the Background section needed given the Introduction?   The Background text would for example be a good start to the Introduction section.