Donald Eastlake SECDIR comment "Security"

[vixie]

Security

In Section 7.3, the second paragraph on DNSSEC does not seem to belong in a section on "Weaknesses of IP fragmentation". I suggest moving it to a new Section 7.4 entitled "DNS Security Protections" or the like.

Not only should the existing DNSSEC material be moved there but there should be some mention of transaction authentication. The existing document completely ignores RFC 8945 and RFC 2931 transaction authentication which, it seems to me, when used, overcome the security infirmities of fragmented UDP. Furthermore, transaction security protects delegation responses. Perhaps adding something like "DNS transaction security [RFC8945] [RFC2931] does protect against the security risks of fragmentation including protecting delegation responses. But [RFC8945] has limited applicability due to key distribution requirements and there is little if any deployment of [RFC2931]."

There seem to be inconsistent implementation requirements for recommendation R7. R7 itself says "MAY" but Section 7.1 says "should" in such a way that I think it should be capitalized "SHOULD". Also, I think the last sentence of 7.1 should be deleted and recommendation R2 made a "SHOULD".

[paulwouters]

Partially implemented in my proposed PR