Reviewer: Nicolai Leymann
Review result: Ready with Issues
Hi,
I was assigned as the dnsdir reviewer for
draft-ietf-opsawg-mud-iot-dns-considerations.
The draft is on BCP track and details concerns related to the use of IP
addresses and DNS names by IoT devices specifically when using MUD
(Manufacturer Usage Description) and makes proposals how DNS can be used in the
context of MUD files.
There were already several reviews in the past and a fair amount of discussion
on the mailing list. As far as I can see most of the comments made by the
reviewers and on the mailing list have been addressed in the latest version of
the draft.
The draft has a clear structure, but needs some "language polishing" (also see
nits below) and there are a few minor issues which should be fixed.
Major issues:
none
Minor issues:
Section 3.1.2:
- "This does not require access to all on-path data, just to the DNS requests
to the bottom level of the DNS tree."
○ NL: Data of DNS requests is only visible if a non encrypted communication
is being used. Protocols such as DoH or DoT provide encryption,
Section 3.2:
- I think the assumption is correct that there is a good chance that in typical
home network CPEs, MUD controller and recursive resolver are running on the
same deviced (the CPE).
○ NL: I might be worthwhile to mention that not all IoT devices necessarily
use the DNS server provided by the network (e.g., they may default to one of
the large open resolvers).
Section 3.2:
- "Properly designed recursive servers should cache data for at least some
number of minutes, up to some number of days, while the underlying DNS data can
change at a higher frequency, providing different answers to different queries!"
○ NL: Not sure if I got this. Can you be a bit more clear how "number of
minutes/number of days" is related to TTLs used in DNS?
Section 6.1:
- "Finally, the list of public resolvers that might be contacted MUST be listed
in the MUD file as destinations that are to be permitted! This should include
the port numbers (i.e., 53, 853 for DoT, 443 for DoH) that will be used as
well."
○ NL: What is the difference between a public resolver (e.g. 8.8.8.8) and a
resolver provided by an ISP (sitting in network of ISP and being used by end
devices in home/local networks)? Is the assumption that the public resolvers
will be used in addition to resolvers provided by the network?
Nits:
Section 3.1:
- "Attempts to map IP address to names …" -> "attempts to map IP
addresses to names …" - "the mapping are …" -> "the mappings are …"
Section 4.1:
- "avoid a IP address literal" -> "avoid an IP address literal"
Section 5:
- "For some users and classes of device" -> "For some users and classes
of devices"
Regards
Nic
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
