[Last-Call] Secdir last call review of draft-ietf-dnsop-extended-error-14

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Catherine Meadows
Review result: Has Issues

This ID defines an extensible method to return information about the cause of
DNS errors.  It extends both the type of response that can contain error
messages and the type of messages that can be returned, and includes mechanisms
that can be used to add more as needed.

The Security Considerations section  mentions some valid points, but it is not
made clear how they apply to extended DNS  error messages (as opposed to DNS
error messages in general). It first makes the non-obvious point that   a
significant number of clients, when receiving a failure message about a DNS
validation  issue from  a validated resolver, will seek out an unvalidated
server instead.  It is not clear to me though whether you think that  extending
 the types of DNS error messages available (thus giving more information to the
client) would help address this problem.  You should say something about this.
Secondly, it discusses the security implications of the fact that DNS error
messages are unauthenticated.

In addition, in the paragraph about the security implications of DNS error
messages being unauthenticated, you should say whether or not extending the
types of DNS error messages would improve the situation,   make it worse, have
no effect,  or is unclear.


-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux