Alissa Cooper has entered the following ballot position for
draft-ietf-dnsop-edns-client-subnet-06: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-client-subnet/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I support Stephen's DISCUSS point. My assumption in reading the
recommendation is that all recursive resolvers are recommended to disable
ECS by default.

= Section 1 =
"The
   motivation for a user to configure such a Centralized Resolver varies
   but is usually because of some enhanced experience, such as greater
   cache security or applying policies regarding where users may
   connect."

Assuming by "user" you mean end user of the DNS, I think this would make
more sense if it said "user or ISP" or something like that. I assume it's
much more common for ISPs to explicitly choose to use centralized
resolvers than for end users to do so.

= Section 2 =
Given that you reference specific implementations in various places in
the document, would be interesting to note any specific implementations
that surface the opt-out choice to users.

= Section 5 =

s/client location/client network location/

= Section 7.2.1 =

"A SCOPE PREFIX-LENGTH value longer than the SOURCE PREFIX-LENGTH
   indicates that the provided prefix length was not specific enough to
   select the most appropriate Tailored Response.  Future queries for
   the name within the specified network SHOULD use the longer SCOPE
   PREFIX-LENGTH."

I think it would help to expand a bit about using the exception case for
the SHOULD here. It seems to me that this basically involves a judgment
call by the operator of the recursive resolver between exposing a longer
prefix or providing less useful information to an authoritative resolver
that is indicating that it needs more information. But setting SOURCE
PREFIX-LENGTH involved a judgment call in the first place about the
privacy protection involved in providing a less-than-full address. So how
is a recursive resolver supposed to decide whether to follow the
indication from the authoritative resolver about prefix length?


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to