Last Call Review of draft-iab-2870bis-01
review-iab-2870bis-01-secdir-lc-wierenga-2014-05-30-00

Request Review of draft-iab-2870bis
Requested rev. no specific revision (document currently at 03)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-06-20
Requested 2014-05-22
Draft last updated 2014-05-30
Completed reviews Genart Last Call review of -01 by Martin Thomson (diff)
Genart Telechat review of -01 by Martin Thomson (diff)
Opsdir Last Call review of -01 by Mahalingam Mani (diff)
Opsdir Telechat review of -02 by Mahalingam Mani (diff)
Secdir Last Call review of -01 by Klaas Wierenga (diff)
Assignment Reviewer Klaas Wierenga
State Completed
Review review-iab-2870bis-01-secdir-lc-wierenga-2014-05-30
Reviewed rev. 01 (document currently at 03)
Review result Has Nits
Review completed: 2014-05-30

Review
review-iab-2870bis-01-secdir-lc-wierenga-2014-05-30

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document specifies he protocol and deployment requirements expected to be implemented for the DNS root name service, operational requirements are taken out of 2870, those are published separately (one hopes, see below).
The document is short (thank you! ;-) and clear. I consider it ready with a few issues:

===

- paragraph 3 (deployment requirements):

"The root name service:

      MUST answer queries from any entity conforming to [RFC1122] with a
      valid IP address.”

I find this a bit confusing. Perhaps showing my ignorance, but should it not be be “… with a valid IP-address or a referral to an authoritative name server”?

- paragraph 4 (security considerations):

This is a bit weak imo. 

At the very least I would expect some discussion about privacy here or in a separate section “privacy considerations”, queries to the root give good insight into what sites the requester is visiting, mitigated by the fact that most queries will not reach the root due to caching of responses. In any case worth some discussion in the era of pervasive surveillance….

Furthermore, the reference to [RSSAC-001] leads to a list of members of RSSAC, not to a document. A quick search at the RSSAC site also didn’t get me to any document called "Service Expectations of Root Servers”, only to the project that was supposed to deliver it. I think you need to fix that reference.

===

Hope this helps,

Klaas