ietf
[Top] [All Lists]

Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Root Name Service Protocol and Deployment Requirements) to Best Current Practice

2014-05-24 13:38:44
|   The root name service:
|
|      . . .
|
|      MUST support IPv4[RFC0791] and IPv6[RFC2460] transport of DNS
|      queries and responses.

This needs an addition: "Some servers in the root name service might not 
support IPv4, and some might not support IPv6." Without that, some people might 
think that each server must respond on both layer 3 technologies, but they do 
not.

|      MUST support UDP[RFC0768] and TCP[RFC0793] transport of DNS
|      queries and responses.

This also needs an addition, but I am not sure what it should say. Must every 
server in the service respond correctly on TCP? If so, what does "correctly" 
mean in the anycast world that most of them live in?

|      MUST generate checksums when sending UDP datagrams and MUST verify
|      checksums when receiving UDP datagrams containing a non-zero
|      checksum.

If "MUST verify checksums" means that if the request has a broken checksum, the 
server should not reply, that needs to be explicit. If that's the intention, 
better wording would be:

MUST generate checksums when sending UDP datagrams.
MUST not respond to UDP datagrams containing a
non-zero checksum if that checksum does not verify.

If that's not what was intended by "MUST verify checksums", this still needs 
clarification.

|      MUST answer queries from any entity conforming to [RFC1122] with a
|      valid IP address.

Joe brought up this question, and it's important. Is this BCP preventing "the 
root name service" from rate-limiting during DoS attacks?

|      MAY also serve the root-servers.net zone, and the zone for the
|      .arpa top-level domain [ARPAZONE],[RFC3172].

A "MAY" is not a requirement, and thus does not belong in this document. The 
service "may" do all sorts of things that are not listed here.

--Paul Hoffman

<Prev in Thread] Current Thread [Next in Thread>