Last Call Review of draft-ietf-dnsop-name-server-management-reqs-
review-ietf-dnsop-name-server-management-reqs-secdir-lc-nystrom-2010-11-13-00

Request Review of draft-ietf-dnsop-name-server-management-reqs
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-11-16
Requested 2010-10-24
Authors Wes Hardaker
Draft last updated 2010-11-13
Completed reviews Secdir Last Call review of -?? by Magnus Nystrom
Assignment Reviewer Magnus Nystrom
State Completed
Review review-ietf-dnsop-name-server-management-reqs-secdir-lc-nystrom-2010-11-13
Review completed: 2010-11-13

Review
review-ietf-dnsop-name-server-management-reqs-secdir-lc-nystrom-2010-11-13

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes requirements on management solutions for name servers.

I find this document easy to read and well organized, but have the
following security-related suggestions and questions:

- Section 3.2.2: When developing requirements for a new management
solution, why not require support for DNSSEC?
- Section 4.4: "Fine-grained" is not defined. I believe a management
solution for name servers always should provide an authorization
solution, and would suggest you change the initial sentence of this
requirement to say: "The solution MUST be capable of providing an
authorization model for any management protocols it introduces to the
completed system."
- Section 6 (Security Considerations): The first sentence is
essentially a tautology: "Any management protocol that meets the
criteria discussed in this document needs to support the criteria
discussed in Section 4 [in this document] ..." I suggest striking this
sentence as those criteria already are mandated anyway. Alternatively,
re-formulate to something like: "Any management protocol for which
conformance to this document is claimed needs to fully support the
criteria discussed in Section 4 ..."

-- Magnus