Re: [Last-Call] Dnsdir telechat review of draft-ietf-dnssd-srp-22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Ted

 

No problem at all

 

I am totally fine with your commentary as well, it makes sense to let IESG determine if these are big enough molehills to squash at this late stage – I don’t believe they are truly substantive issues, It’s more wordsmith stuff really

 

Thanks

 

Anthony

 


Internal All Employees

From:
Ted Lemon <mellon@xxxxxxxxx>
Date: Tuesday, 11 July 2023 at 14:44
To: Anthony Somerset <Anthony.Somerset@xxxxxxxxxxx>
Cc: dnsdir@xxxxxxxx <dnsdir@xxxxxxxx>, dnssd@xxxxxxxx <dnssd@xxxxxxxx>, draft-ietf-dnssd-srp.all@xxxxxxxx <draft-ietf-dnssd-srp.all@xxxxxxxx>, last-call@xxxxxxxx <last-call@xxxxxxxx>
Subject: Re: Dnsdir telechat review of draft-ietf-dnssd-srp-22

For some reason your review didn't show up (and still doesn't) when I search for it. I should just use the datatracker for these searches I guess. I do see some things I'd address in your review if the IESG wants a document update. Since I didn't reply to it earlier, I will do so now. And thank you for doing that review—I know these are significant effort, and I am sorry that I didn't see it earlier!

 

I would suggest being consistent with the naming, Apple should probably be
referred to as MacOS, iOS (and likely the derivatives like iPadOS etc) or
perhaps:
   e.g. Android, Windows, Linux, and Apple based Operating Systems

 

That's a good point—I hadn't noticed that. I'm not sure this desperately needs to be fixed, but we can discuss it during the RFC editor phase if the IESG doesn't ask for a fix.

 

Should there be some commentary about preventing a domain/service squatting
type denial of service in the security considerations? or am I just being
overly cynical here?

 

Sounds like this is covered.

 

Section 4
TTLs sent in SRP Updates are advisory: they indicate the SRP
   requestor's guess as to what a good TTL would be.  SRP registrars may
   override these TTLs.  SRP registrars SHOULD ensure that TTLs are
   reasonable: neither too long nor too short.  The TTL should never be
   longer than the lease time (Section 5.1).
   
I would suggest a RECOMMENDED TTL or upper and lower bound - otherwise this is
vague. I like how you handled a similar suggestion around leases in section 5.1
which could be applied here, the rest of the section makes a good explanation
to the various tradeoffs which helps bring context. 

 

I would not be averse to updating this text if the IESG thinks it's worth doing. However, I think the last sentence (should never be longer than the lease time) addresses the main concern. Our experience has been that users of SRP choose short leases when they expect the registration to be withdrawn quickly. So if the record expires out of the cache after a maximum of one lease interval after the SRP registration expires, this is probably okay. I actually thought about recommending a TTL of 10% of the lease interval, but that only makes sense if the lease is going to be allowed to expire immediately. Most of the time that's not the situation.

 

Section 6.1 mentions UDP - but earlier says only TCP in 3.1.3, also 10.4
and 10.5 only reference TCP service entries

 

We expect that anycast will be used for UDP, but it could be worth explaining this (I thought we had, but it wouldn't surprise me if we never actually did).

 

There is no matching reference to UDP in 3.1.2 as the reference in 6.1 is to
constrained networks. Maybe a reference to state that UDP is possible in
constrained networks? 

 

It isn't our intention that constrained devices be _required_ to use UDP. It's just available as an option there. In some cases TCP may actually be a better choice. So that's why we don't mention it explicitly.

 

Also does the smallest possible SRP update fit inside a UDP datagram in the
first place, especially given the use of public keys in updates? 

 

Yes, absolutely. The signature isn't that big, nor is the key, since we're using ECDSA.

 

Anyway, I'm going to note this reply in the github tracker; if the IESG wants me to do an update to address these points, I will, but since we're past the submission cutoff, and the document is with the IESG for review, I will defer this decision to them. 

 

On Tue, Jul 11, 2023 at 5:42 AM Anthony Somerset via Datatracker <noreply@xxxxxxxx> wrote:

Reviewer: Anthony Somerset
Review result: Ready

Hello

I have been selected as the DNS Directorate reviewer for this draft. The
DNS Directorate seeks to review all DNS or DNS-related drafts as
they pass through IETF last call and IESG review, and sometimes on special
request. The purpose of the review is to provide assistance to the ADs.
For more information about the DNS Directorate, please see
https://wiki.ietf.org/en/group/dnsdir

Please note that I previously reviewed version 20 of this draft and at that
time stated that the document was "Ready"

I am therefore only reviewing the differences between version 20 and current
version (22)

There are are clear and direct references to various DNS RFC's and this
draft is not in any conflict with the wider DNS space.

All in all I think this is a very well written document, although quite
lengthy and makes lots of references to the appropriate RFC's it is well
understandable and didn't take me too long to get to grips with the context.

All but one of my previous editorial comments still remain except for my notes
on security around domain/service squatting, this particular aspect I believe
has been dealt with excellently with the additional text in 6.1 and I agree
with the authors statements here. As previously noted the other items were more
editorial comments rather than substantive.

The additional sections 8.3 through 8.7 add much better clarity to the specific
considerations around authoritative and recursive servers

Therefore I continue to consider this document as "Ready"

Many Thanks to the authors for this work.

Best Regards

Anthony Somerset
DNS Directorate


This email disclaimer applies to the original email, all attachments and any subsequent emails sent by Liquid Telecom. This email contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure, intended only for the named person or entity to which it is addressed. If you are not the intended recipient of this email and you received this e-mail in error, any review, use, dissemination, distribution, printing or copying of this e-mail is strictly prohibited and may be unlawful and/or an infringement of copyright. Please notify us immediately of the error and permanently delete the email from your system, retaining no copies in any media. No employee or agent is authorized to conclude any binding agreement on behalf of Liquid Telecom with another party or give any warranty by email without the express written confirmation by an authorized representative or a director of Liquid Telecom. Nothing in this email shall be construed as a legally binding agreement or warranty or an offer to contract. Liquid Telecom will not be responsible for any damages suffered by the recipient as a result of the recipient not taking cognizance of this principle. Liquid Telecom accepts no liability of whatever nature for any loss, liability, damage or expense resulting directly or indirectly from the access of any files which are attached to this message. Any email addressed to Liquid Telecom shall only be deemed to have been received once receipt is confirmed by Liquid Telecom orally or in writing. An automated acknowledgment of receipt will not suffice as proof of receipt by the Liquid Telecom. This email disclaimer shall be governed by the laws of South Africa.
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux