review of draft-iab-2870bis-01

[Klaas Wierenga (kwiereng)]

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document specifies he protocol and deployment requirements expected to be implemented for the DNS root name service, operational requirements are taken out of 2870, those are published separately (one hopes, see below).
The document is short (thank you! ;-) and clear. I consider it ready with a few issues:

===

- paragraph 3 (deployment requirements):

"The root name service:

      MUST answer queries from any entity conforming to [RFC1122] with a
      valid IP address.”

I find this a bit confusing. Perhaps showing my ignorance, but should it not be be “… with a valid IP-address or a referral to an authoritative name server”?

- paragraph 4 (security considerations):

This is a bit weak imo. 

At the very least I would expect some discussion about privacy here or in a separate section “privacy considerations”, queries to the root give good insight into what sites the requester is visiting, mitigated by the fact that most queries will not reach the root due to caching of responses. In any case worth some discussion in the era of pervasive surveillance….

Furthermore, the reference to [RSSAC-001] leads to a list of members of RSSAC, not to a document. A quick search at the RSSAC site also didn’t get me to any document called "Service Expectations of Root Servers”, only to the project that was supposed to deliver it. I think you need to fix that reference.

===

Hope this helps,

Klaas