[RZERC] rzerc-zone-protection-recommendations

Daniel Migault mglt.biz at gmail.com
Thu Oct 8 18:14:10 UTC 2020 

Hi,

Please find my comments regarding the current
draft rzerc-zone-protection-recommendations.
I assume, my comments are coming pretty late,
so please consider these as random comments.

"""The mechanism of promulgating """

In the first paragraph it looks like zone
transfer is new and differs from DNS query
exchange protected by DNSSEC. If my
reading is correct, it is confusing to me as
I see AXFR/IXFR as mechanisms based on
conventional query responses that are neither
new nor protected by DNSSEC. I do not think
the paragraph adds any value here and the
background section may start with the second
paragraph instead "Traditionally .... ".

""" Traditionally..."""

I am wondering if we should add a coma
after Traditionally ?

I do not see any references to RFCs for AXFR,
DNSSEC... I suppose that is an editorial
choice.

Most expended acronyms are using small
letters but not always, for example TSIG or
DNSSEC. I am wondering if that should not be
uniformed, unless there is a reason for not
uniforming these.

"""Since the root zone is signed..."""

I read this paragraph as providing reasons
for signing the zone as a whole. It sounds
surprising to me that the first reason
invoked is that some elements are not signed
with DNSSEC - NS. The obvious solution seems
to sign these RR as opposed to the zone if
that were a problem. Thus, I believe that the
primary reason is that DNSSEC has not been
designed for that purpose and as a result
should be mentioned first. This design has
two consequences: A major consequence is that
using DNSSEC to check the integrity of the
zone would be very difficult as it would
mostly consist in validating the DNSSEC file.
A second consequence is that some data -
delegation and corresponding addresses are
not signed. Just to be clear I thing that is
more a consequence that DNSSEC has not been
designed for zone transfer.

"""Prior to the use of DNSSEC... """

I am a bit puzzled by the word "important" as
if that were the case, I think we would have
secured communications and maybe not have any
resolvers. I think I would remove
"important". "The source of the data" seems
to me ambiguous as to me the data is the zone
as opposed to the queries/exchange.  It also
seems to me that the DNS client is limited to
the DNS client on a resolver, as opposed to
stub client. I would thus propose some text
around the following lines:

"""
Prior to the use of DNSSEC,  DNS clients on
resolvers implicitly trusted the server
assumed it provides authentic and unmodified
resource records. With the advent of DNSSEC,
modification of resource records can be
detected which relaxes the need to
communicate with a trusted server.  """

Yours,
Daniel

-- 
Daniel Migault
Ericsson
8400 boulevard Decarie
Montreal, QC   H4P 2N2
Canada

Phone: +1 514-452-2160

More information about the RZERC mailing list