IETF Logo Mail Archive

Re: [Add] A proposed charter for ABCD

Vittorio Bertola <vittorio.bertola@open-xchange.com> Mon, 23 December 2019 14:30 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 016DB1200B7 for <add@ietfa.amsl.com>; Mon, 23 Dec 2019 06:30:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zY-tOtUykSUb for <add@ietfa.amsl.com>; Mon, 23 Dec 2019 06:30:13 -0800 (PST)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE42F1200B8 for <add@ietf.org>; Mon, 23 Dec 2019 06:30:12 -0800 (PST)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 8FDC06A256; Mon, 23 Dec 2019 15:30:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1577111407; bh=up6eJbWHAWOA8jYbY2lShiWt3fHT9uUuxmArLxUrsKQ=; h=Date:From:To:In-Reply-To:References:Subject:From; b=d9qaGCSyhXqvtt8IV3oXrIp7Td9yIRQOOw6X++2kpH1KkGNwVrY25odw7T0ZiY+1p SZYQsn7VI1irkPVQdBjE1MhXPj4dz1M64aQKTJgr9ClperHYpv9LHcv23m7T4Z6Jqn HIgqFrqx2v5neWkN1zT0KAtzHMPfhUpE0dEwe72nacYu34sjbIoSP5cjvxmYvfzFIA L3LMA4o9jBR747tMuIC0m9E5E5bWmL3whLqW05pgOEnXtci7jr2zGtag0EXVocvddw z25SGlZ3Ahsj4rr1mvb40z+3WBS7LV/I89KePEhn7yI5+zi5739B3P+3tHYy8H5Gfi 406o8DXFBScRg==
Received: from appsuite-gw1.open-xchange.com (appsuite-gw1.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 832933C047B; Mon, 23 Dec 2019 15:30:07 +0100 (CET)
Date: Mon, 23 Dec 2019 15:30:07 +0100
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
Message-ID: <1890378246.5762.1577111407445@appsuite-gw1.open-xchange.com>
In-Reply-To: <CAHbrMsACEWWFxw04KUc4Q66G4hf_P3V3eOnAHqw18PDxCn-b2g@mail.gmail.com>
References: <CAHbrMsACEWWFxw04KUc4Q66G4hf_P3V3eOnAHqw18PDxCn-b2g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.3-Rev3
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2xCY9GAPjXzbQpIkAjgGeE4Yj7k>
Subject: Re: [Add] A proposed charter for ABCD
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2019 14:30:14 -0000

Thanks for putting this together, and see comments below.
Il 20/12/2019 16:20 Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> ha scritto:

Proposed charter text:

This working group will focus on DNS client side topics, particularly discovery and selection of resolvers. This complements existing DNS-related working groups, which are responsible for improvements to the DNS protocol itself, and for operational questions that are principally of interest to DNS server operators.

The working group is chartered to develop an extensible protocol for a DNS client to learn detailed information about a resolver, based on draft-ietf-dnsop-resolver-information, which will be transferred from dnsop. 
I think that one actual problem that many here would like to solve is: for decades we have been discovering and using the local network-provided resolver as a default, we would like to continue doing that but with an encrypted local resolver, how do we do that? This draft charter seems to assume that the client will discover the unencrypted local resolver through the currently existing protocols, leaving this phase out of scope, and then will use a new method, to be developed and in scope for this group, to find out the encrypted local resolver that matches the unencrypted one. But are we already sure that this is the best solution for the problem, rather than developing something new that does both things at the same time? Otherwise, the mission above should also include, at least as an option, the discovery of locally available encrypted resolvers.
Relying on this new protocol where appropriate, the working group should produce standards-track, informational, or experimental documents that provide the following items, using the drafts in brackets as input (with no obligation to adopt them): * methods for a recursive resolver to advertise support for an alternative transport protocol [draft-sah-resinfo-doh],
 * methods for a recursive resolver to indicate that it will sometimes return DNS results that are different from the global DNS [draft-grover-add-policy-detection],
Building on what I said above, I will point out that conceptually users are not interested in a resolver's policy, but rather in the local network's policy, i.e. conditions, restrictions and safeguards to Internet access effected by the network's owner via DNS. So it is useless to have the capability for a resolver to indicate policy, if there is not also the capability for a client to discover that that resolver exists and is able to provide information on the local network's policy.
 * methods for improving user privacy by avoiding DNS queries that leak information or directing them to a server that will have this information anyway [draft-pauly-dprive-adaptive-dns-privacy],
I am still not convinced that the concept in that draft "improves user privacy". Can we please avoid giving that for granted?

Also, more generally, the idea of using many resolvers at once, rather than a single one, opens several cans of worms in policy and legal terms, and possibly even in terms of "security & stability" (in the ICANN sense). Perhaps the IETF should stop working on new technical developments just because it can, and assess the non-technical implications of these new developments before working on them.
and * a format for describing the client’s DNS configuration, suitable for diagnostics and debugging.

Where possible, any mechanisms that specify exchange of information between clients and resolvers should provide the security properties expected of IETF protocols, e.g., confidentiality protection, integrity protection, and authentication with strong work factor.  Each specification must clearly indicate under what circumstances and assumptions these properties are or are not provided.
This is not only true of security, but also of privacy - some mechanisms could provide more or less of it depending on the assumptions and on the privacy threat model, and this should also be discussed.

There should also be work on documenting the existing use cases and services that consumer DNS resolvers provide, so that one could see whether the assumptions above are met in real world situations or not.

-- 

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

v2.23.0 | Report a Bug | By Email