Ralph:
All of the previous comments should be incorporated. But, in addition:
Section 4 and 5 state that a "Server sends ... option to the DHCP client".
However, the list of messages in which these options may appear includes
client generated messages (Solicit, Request, Renew, Rebind,
Information-Request).
I believe that client generated messages can request these option codes
in an ORO option, but should they include these options? There may be
little harm in allowing them? Though it is difficult to see how they
could appear in a Solicit even in that case.
In section 7, for:
Because the Domain Search List option may be used to spoof DNS name
resolution in a way that cannot be detected by DNS security
mechanisms like DNSSEC [5], DHCP clients and servers MUST use
authenticated DHCP when a Domain Search List option is included in a
DHCP message.
Might it be better to instead state that a client MUST NOT install the Domain
Search List unless the message was authenticated? This is cleaner as to what
it requires a client and server to do. It is difficult for a client to know
in advance whether a server will supply the option?
The same might be true of the Domain Name Server option??
Otherwise, the draft looks fine and I would like to see it advanced.
- Bernie Volz
-----Original Message-----
From: Ralph Droms [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 10, 2003 11:23 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [dhcwg] Re: WG last call on
draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
Pekka,
Thanks for the review and feedback; my comments are in line...
And - for other members of the dhc, dnsext and ipv6 WGS: please
respond to this last call notice with comments or an explicit
ack to indicate you accept the draft as published. Thanks...
- Ralph
