On Thu, Aug 04, 2016 at 08:03:35PM -0400, Tim Wicinski <tjw.i...@gmail.com> wrote a message of 27 lines which said:
> This starts a Working Group Last Call for draft-ietf-dnsop-resolver-priming I know, it's too late (damned holidays) but I think the document is OK, I just suggest a few additions: Section 3.3: Replace the first two sentences by: The resolver MAY set the DNSSEC OK [RFC4033] bit. At the time this document is being published, there is little use to performing DNSSEC validation on the priming query. This is because all root name servers are under a separate zone, "root-servers.net" (delegated to the root name servers). The resolver will eventually need AAAA and A RRsets of the NS names in this zone. But the "root-servers.net" zone is not signed. So a man-in-the-middle attack on the priming query can result in malicious data in the responses. (it was proposed and explained in <https://mailarchive.ietf.org/arch/msg/dnsop/c09YZDWvSbcuNxQbDshICQdW5IE>) Same section 3.3, at the end, add: Note a validating resolver won't accept responses from rogue root name servers, if they are different from the real responses, since the resolver has a trust anchor for the root and the answers from the root are signed. So, if there is a man-in-the-middle attack on the priming query, the only result for a validating resolver will be a denial of service. Section 5, add a reference to section 3.3, after "DNSSEC". There is also a small contradiction between the abstract ("and the necessary address information for reaching the root servers") and section 4.1 ("There ___may be___ an Additional section with A and/or AAAA RRSets"). Two personal questions (I cannot find a discussion on these two points in the archive): Section 4.1 "There may be an Additional section with A and/or AAAA RRSets" There is no mention of what the resolver should do if this section is missing. Sending a query XXX.root-servers.net/AAAA to the same authoritative server used for the priming? Section 4.2 "a resolver SHOULD consider the address information found in the Additional section complete for any particular server that appears at all" Why this rule? (Most root name servers, when the advertised buffer is too small, sacrifice IPv6 addresses.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop