Last Call Review of draft-ietf-dnsop-extended-error-14
review-ietf-dnsop-extended-error-14-secdir-lc-meadows-2020-03-31-00

Request Review of draft-ietf-dnsop-extended-error
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-04-02
Requested 2020-03-12
Authors Warren Kumari, Evan Hunt, Roy Arends, Wes Hardaker, David Lawrence
Draft last updated 2020-03-31
Completed reviews Secdir Last Call review of -14 by Catherine Meadows (diff)
Genart Last Call review of -14 by Joel Halpern (diff)
Opsdir Last Call review of -14 by Scott Bradner (diff)
Assignment Reviewer Catherine Meadows 
State Completed
Review review-ietf-dnsop-extended-error-14-secdir-lc-meadows-2020-03-31
Posted at https://mailarchive.ietf.org/arch/msg/secdir/TOH5k61BzO1C1GxO3nTGGQF0ops
Reviewed rev. 14 (document currently at 16)
Review result Has Issues
Review completed: 2020-03-31

Review
review-ietf-dnsop-extended-error-14-secdir-lc-meadows-2020-03-31

This ID defines an extensible method to return information about the cause of DNS errors.  It extends both the type of response that can contain error messages and the type of messages that can be returned, and includes mechanisms that can be used to add more as needed.



The Security Considerations section  mentions some valid points, but it is not made clear how they apply to extended DNS  error messages (as opposed to DNS error messages in general).
It first makes the non-obvious point that   a significant number of clients, when receiving a failure message about a DNS validation  issue from  a validated resolver, will seek out an unvalidated server instead.  It is not clear to me though whether you think that  extending  the types of DNS error messages available (thus giving more information to the client) would help address this problem.  You should say something about this.
Secondly, it discusses the security implications of the fact that DNS error messages are unauthenticated.   

In addition, in the paragraph about the security implications of DNS error messages being unauthenticated, you should say whether or not extending the types of DNS error messages would improve the situation,   make it worse, have no effect,  or is unclear.