Yaron, many thanks for your review. Comments inline: > On 26 Jun 2023, at 13:24, Yaron Sheffer via Datatracker <[email protected]> > wrote: > > Reviewer: Yaron Sheffer > Review result: Has Nits > > I am not a DNS expert so these may or may not be real issues. But I would > appreciate the authors' clarifications. > > - The error reports are unauthenticated. Some possible implications include: > (1) Operators may choose to implement automated responses to error reports, > and > will not consider that the source of the reports is untrusted. > (2) An adversary > may create massive error report flooding to camouflage an attack. At minimum, > I > suggest to mention these risks in the security considerations.
Will do. > > - "Authentication significantly increases the burden on the reporting resolver > without any benefit to the monitoring agent, authoritative server or reporting > resolver." I'm not sure I agree there's no benefit: a known, trusted set of > reporting resolvers can provide a higher level of confidence in the error > reports, and potentially enable more automated processing of these reports. > CDNs may become such trusted resolvers, for example. I will tone down the dismissive language and just use the following: "Authentication significantly increases the burden on the reporting resolver, however, a known, trusted set of reporting resolvers can provide a higher level of confidence in the error reports, and potentially enable more automated processing of these reports.” (I’ve used your text as guidance) > - In general, is there value to error reporting in the absence of (aggregated) > reporting on success? In other words, when evaluating a stream of errors, > isn't > it important to measure the percentage of errors as part of the overall number > of requests for a particular domain? Absolutely. However, I wanted to avoid predicting how the reporting agent is going to implement its analysis and reporting functions. > - This is yet another DNS covert channel. Should we mention it in the Security > Considerations? Is it though? If it is, isn’t all DNS susceptible to being a covert channel? Isn’t any traffic, not just DNS, susceptible of being another covert channel? > - What is the broader effect of avoiding DNSSEC for the agent domain? Does it > interfere with policies (and their automated enforcement) such as "sign > everything under .tld"? This should be dealt with in the relevant policy area. > - More formally, there is no normative language around avoiding DNSSEC. Is it > a > SHOULD? > > - DNS query name minimization - shouldn't there be some guidance on this? > Clearly minimization does not apply to the actual error portion of the report > QNAME. Clearly? An agent domain can setup its servers in various ways, say, a single agent domain “uk.error.com”, and subsequently delegate: uk._er.uk <http://er.uk/>.error.com co.uk <http://co.uk/>._er.uk.error.com <http://er.uk.error.com/> police.uk <http://police.uk/>._er.uk.error.com <http://er.uk.error.com/> Some_org.co.uk._er.uk.error.com <http://er.uk.error.com/> You’ll see that a single error for “example.co.uk <http://example.co.uk/>” may be delegated a few times before it reaches the target server. Hope this helps, Thanks for the review Yaron! Warmly, Roy > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
