IETF Logo Mail Archive

Re: [Add] FW: New Version Notification for draft-hal-adot-operational-considerations-00.txt

Michael Sinatra <michael@brokendns.net> Tue, 09 July 2019 01:29 UTC

Return-Path: <michael@brokendns.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A685012023F for <add@ietfa.amsl.com>; Mon, 8 Jul 2019 18:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqM3qE7noPl3 for <add@ietfa.amsl.com>; Mon, 8 Jul 2019 18:29:31 -0700 (PDT)
Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B85C5120307 for <add@ietf.org>; Mon, 8 Jul 2019 18:29:29 -0700 (PDT)
Received: from elwha.brokendns.net (elwha.brokendns.net [IPv6:2607:f2f8:a544:0:0:0:0:2]) by burnttofu.net (8.15.2/8.15.2) with ESMTPS id x691THLX009849 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Mon, 8 Jul 2019 21:29:19 -0400 (EDT) (envelope-from michael@brokendns.net)
Received: from kimberton.burnttofu.net (unknown [IPv6:2604:5500:c2c2:fb00::7777]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id AD6945D253; Mon, 8 Jul 2019 18:29:16 -0700 (PDT)
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Livingood, Jason" <Jason_Livingood@comcast.com>, "Henderson, Karl" <khenderson=40verisign.com@dmarc.ietf.org>, "add@ietf.org" <add@ietf.org>
References: <156261197748.1097.13781803597501449499.idtracker@ietfa.amsl.com> <088F4881-BF32-4EC3-907E-DA9538962545@verisign.com> <91823055-dc9e-bffe-af80-6ce1233ae19f@cs.tcd.ie> <5028B709-4525-4756-9070-B9FC6640F1E2@cable.comcast.com> <8b89c2f6-4f82-f5b3-dbee-3469266be21b@cs.tcd.ie>
From: Michael Sinatra <michael@brokendns.net>
Message-ID: <24392f2e-9f42-d778-2546-34f2bd1f160d@brokendns.net>
Date: Mon, 08 Jul 2019 18:29:10 -0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <8b89c2f6-4f82-f5b3-dbee-3469266be21b@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.6.2 (burnttofu.net [IPv6:2607:fc50:1:9d00:0:0:0:9977]); Mon, 08 Jul 2019 21:29:20 -0400 (EDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/5kBoUiRAhLr1HY_q_xpU8sS_i9k>
Subject: Re: [Add] FW: New Version Notification for draft-hal-adot-operational-considerations-00.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 01:29:33 -0000

Howdy,

On 2019-07-08 15:48, Stephen Farrell wrote:
> 
> Hiya,
> 
> On 08/07/2019 23:30, Livingood, Jason wrote:
>> On 7/8/19, 3:40 PM, "Add on behalf of Stephen Farrell"
>> <add-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>>> Reading the draft I get the strong impression that
>> the authors don't like DNS/TLS in any form.
>>
>> [JL] You've either misread the draft or we need to make updates in
>> the -01 to fix this perception. The authors are in fact not opposed
>> to DoT, and are endeavoring to sort out all the operational issues
>> that need to be sorted to do DoT between a recursive and
>> authoritative server - at scale. As you might imagine, auth operators
>> such as TLD operators will be very careful in testing and deploying
>> DoT support and we're focused on how to make progress on this front.
>> And such a deployment needs to IMO be undertaken with clear eyes and
>> focusing on all the possible risks and barriers to scaling up and
>> operating reliably.

For the most part, as an authoritative server operator, I found the
draft to be useful and informative.  But I do agree with Stephen on two
counts: First, parts of the draft, notably section 1.1, tend to be
overly dismissive of the benefits of ADoT in their tone.  That section
appears to come to the conclusion that there are limited benefits to
ADoT versus recursive DoT (rDoT?) or other forms of encryption.  A
counter example is recursive resolvers running on home networks, where
the customer can be identified by the recursive server making the
queries.  EDNS(0) Client Subnet is another, as identified by the draft.
 Although Section 1.1 seems to acknowledge that the jury is still out,
parts of it are written *as though* a conclusion has already been achieved.

Perhaps an additional avenue for study is to examine the various
use-cases and analyze the risks and benefits of DNS encryption.

[snip]

>>> draft-green again? Sigh. If you want to re-run
>> that fiasco, then sure, if we must, I'm willing to try help kill that
>> zombie bad idea again if necessary, but do any of us really think
>> going there would be a productive use of time and energy?
>>
>> [JL] IMO your sarcasm isn't particularly constructive here. 
> 
> I wasn't being sarcastic, I mean every word literally. Which is
> sad, but draft-green and associated things caused about 2 years
> of major angst and kerfuffle in the TLS WG and is the cause of
> a sorta rift between the IETF and ETSI (who rubber-stamped the
> proposal rejected by TLS and then called that eTLS), so this is
> a really bad reference to include. And draft-green was all about
> weakening TLS. Honestly, if you can get out another rev before
> the cutoff that omitted that, I suspect you'd save you and us
> all some time.

The second agreement I have is that I'd like not to see static D-H given
much (if any) consideration in the doc.  Since the audience is DNS
server operators, I'd rather see considerations for instrumenting the
*servers* (recursive and/or authoritative) so that monitoring
information can be *securely* transmitted and analyzed.

I didn't participate in the debate around draft-green, but I spent some
time several months ago reading the TLS WG mailing list archives (and I
can speculate that it was MUCH easier to spend 1-2 hours reading mail
archives than to spend 1-2 years actually participating in the debate),
and I'd like to believe that the questions are settled and that we
probably don't want to re-open them.  Put differently, since we're
talking about DNS-over-*TLS*, then we should trust the TLS WG to have
done the right thing consensus-wise and build upon their work rather
than re-inspecting it (or giving the appearance that we want to do so).
 And I do think there are other ways of solving the monitoring
consideration (e.g. logging or post-decryption dnstap-like
functionality) that should appear in section 3.5 that might well provide
a quite reasonable alternative to weakening TLS.

That brings up one picky point: The bullet point about the use of a TLS
proxy has implications for both section 3.5 and 3.6, not just 3.6, as
DNS queries could be monitored post-encryption between the proxy and
server endpoint.  So it's a potential solution to both monitoring and
architectural issues that may arise.

Overall there's a lot to think about here, and I appreciate the effort,
and plan to go over these considerations more carefully in the coming
days--and may have additional comments.

michael

v2.23.0 | Report a Bug | By Email