I think the draft is good enough to be advanced. Since it is on the
Experimental track, there isn't too much risk. It only affects the resolver
that chooses to do it, not any other entity and doesn't change the DNS protocol.
Basic copy-edit comments:
1. Section 1. Introduction and background
s/etc/etc. (Depends on style guide used I guess)
2. Section 3
I would prefer the sentence on legal issues dropped. It may decrease
the usefulness of the logging, but maybe not the obligation to do it).
3. Section 3, paragraph 5
"Other strange and illegal practices..." Perhaps illegal is too strong
of a word - replace with "unsafe"? If it is illegal somewhere, keep the
language as is.
There also used to be a very poorly implemented load balancer that
would always return A RR's for whatever qtype that was asked. So a query for
"example.com NS" would always return "www.example.com A". A couple of .gov
sites used them, but replaced them when deploying DNSSEC. Not sure if they are
still being used elsewhere. Like the other broken load balancers, they are
only found on leaf nodes so not a major stumbling block.
Security Considerations:
While it does reduce the the amount of data seen by wire sniffers, it
depends on where the wire sniffers are - if one is on the ISP somewhere in
front of the recursive resolver, it could construct the entire query by
recording all the minimized queries. Maybe rewrite as "Minimising the amount
of data sent also, in part, addresses the case of a wire sniffer on transit
networks as well as the case of privacy violation by the servers."
also: s/improvment/improvement
Scott
===================================
Scott Rose
NIST
[email protected]
+1 301-975-8439
Google Voice: +1 571-249-3671
http://www.dnsops.gov/
https://www.had-pilot.com/
===================================
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
