[IPsec] WG Last Call comments on draft-ietf-ipsecme-split-dns

Sun, 21 Jan 2018 17:24:06 -0800 

Greetings. This document is still listed as in WG Last Call, although I haven't 
seen anything in the archive about that Last Call closing.

The document seems mostly fine, and it certainly seems like a useful IPsec 
extension. I have only two concerns:

- Section 5 says:
   An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing
   domains that are designated Special Use Domain Names in [RFC6761],
   such as "local", "localhost", "invalid", etc.  Although it may
   explicitly wish to support some Special Use Domain Names.
There is no way that an implementation can easily follow what is in the IANA 
registry for Special Use Domain names. Further, given that that the names are 
going to be internal, there isn't a good reason to prevent them from being used 
beyond the normal "don't make up names that someone else might be using" 
argument. The second sentence (fragment) doesn't give enough detail to help an 
implementer. I think that this whole paragraph can be safely removed.

- Section 6 says:
   The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
   passed to another (DNS) program for processing.  The content MUST be
   verified and sanitized before passing it to other software.  For
   example, domain names are limited to alphanumeric characters and the
   minus ("-") and underscore ("_") symbol and if other other characters
   are present, the entire payload could be ignored and not passed to
   DNS software, or the malicious characters could be filtered out
   before passing the payload to DNS software.
That is not correct. *Host* names are limited, but domain names are not. Domain 
names can have any octet in them. This is a common misunderstanding in the DNS; 
see RFC 7719 for definitions of DNS terms. I suggest that this paragraph be 
changed to:
   The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
   passed to another (DNS) program for processing.  Some DNS programs
   only handle domain names in host name format, although many are
   inconsistent about this. 

--Paul Hoffman
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to