On Wed, May 6, 2015 at 3:33 PM, Rose, Scott W. <scott.r...@nist.gov> wrote: > I think the draft is just about ready for publication as well. > > On May 5, 2015, at 5:53 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > >> This document has progressed very well and is nearly ready for publication. >> >> Related to an earlier thread about intended status: "Informational" is most >> appropriate here because the document is all about proposed operations but >> no "best current practice". There is no problem with WGs producing >> Informational RFCs, and Informational RFCs can have RFC 2119 language. >> >> In Section 2, there should be a new paragraph after the first paragraph that >> describes why the "reasonable attempt" in the first paragraph is needed to >> determine whether the attacker has partial control of the zone, or is just >> mounting an on-path attack between all the nameservers and the recursive. >> >> In Section 2, it talks about "a popular domain name" but don't say how to >> determine that. Giving examples of sources of that data would be valuable. >> > I would recommend local query logs, naturally.
Oooh! Added. Thanks. > > >> >> In Section 7.1, the second paragraph is *not* a security consideration, it >> is a proposal for how NTAs should be implemented. Please make this its own >> section earlier in the document, possibly called "Altering Users of NTA Use". >> > There is a security consideration there, reading between the lines - in that > this is broadcasting a spoofable name to the world. However, a "Altering > User's" section would be a good addition to include text about apps that may > break if it is known they demand to see the AD bit set in responses. Good point. I'm assuming^W hoping that applications that assume a domain is signed, and expect the AD bit *should* actually be doing their own validation. But I added this to the security section (it felt securityish). "One side effect of implementing an NTA is that it may break client applications that assume that a domain is signed and expect an AD bit in the response. It is expected that many application that require DNSSEC for a domain will perform their own validation, and so this should not be a major issue." Is this clear / helpful? > > Scott > > > > =================================== > Scott Rose > NIST > scott.r...@nist.gov > +1 301-975-8439 > Google Voice: +1 571-249-3671 > http://www.dnsops.gov/ > https://www.had-pilot.com/ > =================================== > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
