Greetings. This is a WG LC review of draft-ietf-dnsop-cookies, which I had not 
looked at carefully in some time. In short: it looks great, the document is 
complete and easy-to-read, and we probably should have done this nearly a 
decade ago when Donald started the work.

Substantial:

In Sections 4.1 and 4.2, it says that the cookies MUST NOT be the same for all 
recipients. This should be SHOULD NOT, to match the SHOULDs above. If an 
implementation does a stupid and uses the same cookies everywhere, it is no 
worse off for it, it just isn't getting as much protection as expected. (If I'm 
wrong about that latter bit, then the reason for the MUST NOT should be given 
in both sections.)

Section 5.4 seems unnecessary and possibly harmful. Why have an additional 
means to detect support other than "ask any question, even one that is going to 
get a REFUSED or NXDOMAIN answer"? The new mechanism will wreak havoc on tools 
that are watching DNS requests, for no real reason. I propose that this section 
be removed, or replaced with a simply "if you want to know whether the server 
supports cookies, ask anything".

Editorial:

In Section 2.2, "the Dan Kaminsky attack" sounds like an attack by someone, not 
described by someone. The parenthetical can probably be removed, or turned into 
an informative reference from something that Dan wrote.

In Section 5.2, second paragraph, "as before" is unclear. This probably means 
"as if no COOKIE OPT option had been sent", but it should be explicit.

Procedural:

The third paragraph of Section 5.3 gives a new scenario in which TCP SHOULD be 
used. Thus, I think this draft updates RFC 5966, and the draft should be marked 
as such, even if it is only for this one important part. Also, this paragraph 
should refer to RFC 5966.

I continue to be concerned that draft-eastlake-fnv, which is likely to be used 
by implementations of cookies, is still just a draft, not an RFC. It's not for 
this WG to do, but anyone implementing this draft should read that draft, send 
comments, and let's get that published as well.

--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to