I was asked to review the changes made to this document
in the last few months. I have done so. None of the changes
have any apparent security impact. Some text was clarified
and examples were added. Therefore, my previous analysis
still applies.

I do not see any security issues that are not well covered in
this document. While I don't think this document will close any
major security issues, it includes some helpful guidance. So
I recommend that this document advance to RFC status.

Thanks,

Steve

> -----Original Message-----
> From: Stephen Hanna
> Sent: Wednesday, June 01, 2011 2:15 PM
> To: 'secdir at ietf.org'; 'draft-ietf-dnsext-rfc2672bis-
> dname at tools.ietf.org'
> Cc: 'ietf at ietf.org'
> Subject: secdir review of draft-ietf-dnsext-rfc2672bis-dname-22.txt
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document intends to replace RFC 2672, the definition of DNAME
> redirection in the DNS. DNAME is a DNS resource record type that
> (in layman's terms) indicates that all domain names ending in a
> specified suffix should be redirected to domain names where the
> suffix is replaced by a specified value. For example, all names
> that end with example.com should be remapped to example.net.
> 
> The document is quite thorough, apparently because the DNAME RR
> has been used for many years and a great deal of real-world
> experience has been gained. That's definitely a good thing!
> 
> From a security perspective, this document includes a more
> thorough analysis of security considerations than the original
> RFC 2672. It also includes a more thorough discussion of DNSSEC
> interactions than the earlier document.
> 
> I do not see any security issues that are not well covered in
> this document. While I don't think this document will close any
> major security issues, it includes some helpful guidance. So
> I recommend that this document advance to RFC status.
> 
> Thanks,
> 
> Steve