Dear authors, Thank you (and extended thanks to the WG) for this document.
Please find below my AD review of -08 revision of the document. Before proceeding with the publication process, I will appreciate replies about the points below (and possibly a revised I-D). - Section 1: please replace the reference to RFC7626 with the 7626bis document, which is already in the RFC editor queue - Section 1: does the use of legacy RFC 7626 rather than the bis impact the rest of the section ? - Section 1: “Some operators use SSH tunneling or IPSec to encrypt the transfer data” is this assertation backed by some public references ? - Section 1: did you consider adding something about reconnaissance ? I.e., network scanning of an IPv6 prefix is basically impossible but having access to a DNS zone and its AAAA RR makes the reconnaissance trivial - Section 4.1: from a logical flow perspective, I would have started with the threat model first, then the confidentiality/authentication/ parts - Section 4: I find the logic of the ‘performance’ point weird because it is not really generated by the document but rather by an upgrade. I suggest to rewrite this part. - Some nits usually ‘e.g.’ is surrounded by commas - BTW, while I appreciate the trend to replace master by primary, may I suggest to clarify in the terminology section that ‘primary’ means ‘master’ and ‘secondary’ means ‘slave’ ? Up to you as it is a touchy topic but making the linked with the legacy document seems important to me. Really up to the authors. - Section 5.2 last § missing a closing ‘)’ - Section 5.3.2 please qualify “lag” (I guess serial numbers) - Section 6, unsure whether “(probably unintentional)" add any value, consider to remove ? - Section 6.4, "one DoH connection" even with the "could hypothetically include" appears a little weird to me - Section 7, consider expanding the XoT in the section title ? It looks weird in the ToC - section 7.6, perhaps also expand XoT and ADoT in the section title - section 7.6, §2 "short term,S.S. with regard" typo in S.S. ? - section 8, long RTTs are mentioned as a reason to change of preferred primary, but, RTT is only one part of the TCP throughput. Should this be elaborated further ? - section 8, in " 'parallel primary connection' model" should this be "models" ? - section 9.3.1 " MitM" is not defined and current trend is to replace it with "on path active attacker" (really up to the authors as I do mind) - section 9.3.3. nits in " client can authentic the" - section 9 and 10, I wonder why section 9 (mechanisms) is not a sub-section of section 10 (I do not really mind though) - section 11, should there be a "then" in " if AXFRs use AXoT all IXFRs MUST use IXoT" ? - section 12, the text talks about implementations but I wonder whether the section title should rather be on operations - section 15, should there be a discussion on using simple IP ACL as authentication ? IP spoofing exists ;) I hope it helps, Regards -éric _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
