draft-ietf-dnsext-forgery-resilience-01.txt

[Stephane Bortzmeyer <bortzmeyer@nic.fr>]

After review, this document seems to me be in a good shape and it
would be a good idea to foresee a WG Last Call for it.

The issues I still have (yes, I will record them on the Wiki)

* a reference (normative?) to RFC 4086 would be a very good idea, with
a link from section 9 "Implementations SHOULD use good random source
to select a Query ID"

* -01 says "TBD: Do we need to talk about stub resolvers?  Does this
draft apply to them?" I believe that the answer is yes. A typical stub
resolver cannot receive unexpected answers (it typically does not
listen for ever on the network) but it still can be fooled when
listening for a reply. In addition, a typical stub resolver should
listen only to the answers coming from the nameservers listed in its
configuration (/etc/resolv.conf on Unix) but I'm not sure they all
do and, anyway, it is not sufficient, the other countermeasures
mentioned in section 9 all apply.

[Soap box: I regret there is no list of changes from previous
versions. It seems most of them are precisions in the Countermeasures
section]




--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>