Greetings. This is a WG LC review of draft-ietf-dnsop-cookies, which I had not looked at carefully in some time. In short: it looks great, the document is complete and easy-to-read, and we probably should have done this nearly a decade ago when Donald started the work.
Substantial: In Sections 4.1 and 4.2, it says that the cookies MUST NOT be the same for all recipients. This should be SHOULD NOT, to match the SHOULDs above. If an implementation does a stupid and uses the same cookies everywhere, it is no worse off for it, it just isn't getting as much protection as expected. (If I'm wrong about that latter bit, then the reason for the MUST NOT should be given in both sections.) Section 5.4 seems unnecessary and possibly harmful. Why have an additional means to detect support other than "ask any question, even one that is going to get a REFUSED or NXDOMAIN answer"? The new mechanism will wreak havoc on tools that are watching DNS requests, for no real reason. I propose that this section be removed, or replaced with a simply "if you want to know whether the server supports cookies, ask anything". Editorial: In Section 2.2, "the Dan Kaminsky attack" sounds like an attack by someone, not described by someone. The parenthetical can probably be removed, or turned into an informative reference from something that Dan wrote. In Section 5.2, second paragraph, "as before" is unclear. This probably means "as if no COOKIE OPT option had been sent", but it should be explicit. Procedural: The third paragraph of Section 5.3 gives a new scenario in which TCP SHOULD be used. Thus, I think this draft updates RFC 5966, and the draft should be marked as such, even if it is only for this one important part. Also, this paragraph should refer to RFC 5966. I continue to be concerned that draft-eastlake-fnv, which is likely to be used by implementations of cookies, is still just a draft, not an RFC. It's not for this WG to do, but anyone implementing this draft should read that draft, send comments, and let's get that published as well. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
