Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-add-dnr-16> for your review
rfc-editor@rfc-editor.org Sat, 09 September 2023 02:56 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C31BDC15152D; Fri, 8 Sep 2023 19:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.534
X-Spam-Level:
X-Spam-Status: No, score=0.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsEEXGMrlKFW; Fri, 8 Sep 2023 19:55:58 -0700 (PDT)
Received: from rfcpa.amsl.com (unknown [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A299C15106A; Fri, 8 Sep 2023 19:55:58 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 6F9F9E5EA7; Fri, 8 Sep 2023 19:55:58 -0700 (PDT)
To: mohamed.boucadair@orange.com, kondtir@gmail.com, dwing-ietf@fuggles.com, neil.cook@noware.co.uk, tojens@microsoft.com
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, add-ads@ietf.org, add-chairs@ietf.org, Andrew.Campling@419.Consulting, evyncke@cisco.com, auth48archive@rfc-editor.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20230909025558.6F9F9E5EA7@rfcpa.amsl.com>
Date: Fri, 08 Sep 2023 19:55:58 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/_DKbTytI7WUqlOS6Q3-isFXs8Og>
Subject: Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-add-dnr-16> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Sep 2023 02:56:02 -0000
Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. 1) <!-- [rfced] Abbreviated (running) document title, which appears in the PDF: FYI, we updated the abbreviated title to "DNR", along the lines of the running title "DDR" in the companion document 9462 (draft-ietf-add-ddr). Please let us know if you prefer otherwise. Original: Internet-Draft Discovery of Network-designated Resolver April 2023 Current PDF: RFC 9463 DNR September 2023 --> 2) <!-- [rfced] Datatracker "idnits" output for the original approved document included the following warning. Please let us know if any changes are needed as related to this warning: == There are [sic] 1 instance of lines with non-RFC2606-compliant FQDNs in the document. --> 3) <!-- [rfced] Section 1: Please note that companion document 9462 (draft-ietf-add-ddr) cites both RFCs 4861 and 8106 when referring to IPv6 Router Advertisement options. We have asked the authors of that document if the same RFC should be cited in both places. Please note, however, that we do not see any mention of Router Advertisement options in RFC 4861 - only Neighbor Discovery options. Would you like to see how/if draft-ietf-add-ddr updates its comparable citation and update this document (or not) to match? Original: In particular, the document specifies how a local encrypted DNS resolver can be discovered by connected hosts by means of DHCPv4 [RFC2132], DHCPv6 [RFC8415], and IPv6 Router Advertisement (RA) [RFC4861] options. --> 4) <!-- [rfced] Section 3: This sentence did not parse. We removed the colon (":"). If this is incorrect, please clarify "and Neighbor Discovery protocol (Section 6): Encrypted DNS options". Original: This document describes how a DNS client can discover local encrypted DNS resolvers using DHCP (Sections 4 and 5) and Neighbor Discovery protocol (Section 6): Encrypted DNS options. Currently: This document describes how a DNS client can discover local encrypted DNS resolvers using DHCP (Sections 4 and 5) and Neighbor Discovery protocol (Section 6) Encrypted DNS options. --> 5) <!-- [rfced] Section 3.2: Should "the encrypted DNS is discovered" be "encrypted DNS resolvers are discovered"? If the suggested text is not correct, please clarify. Original: If the encrypted DNS is discovered by a host using both RA and DHCP, the rules discussed in Section 5.3.1 of [RFC8106] MUST be followed. Suggested: If encrypted DNS resolvers are discovered by a host using both RA and DHCP, the rules discussed in Section 5.3.1 of [RFC8106] MUST be followed. --> 6) <!-- [rfced] Section 3.3: As [I-D.ietf-dnsop-svcb-https] does not have a Section 6.1 and the title of its Section 7.1 is '"alpn" and "no-default-alpn"', we updated the cited section number accordingly. If this is incorrect, please provide the correct citation. Original: ALPN-related considerations can be found in Section 6.1 of [I-D.ietf-dnsop-svcb-https]. Currently: ALPN-related considerations can be found in Section 7.1 of [RFC9460]. (see https://www.rfc-editor.org/authors/rfc9460.html#section-7.1)--> 7) <!-- [rfced] Section 3.4: This sentence does not parse. If the suggested text is not correct, please provide clarifying text. Original: Such considerations fall under the generic issue of handling multiple provisioning sources and which should not be dealt within each option separately as per the recommendation in Section 12 of [RFC7227]. Suggested: Such considerations fall under the generic issue of handling multiple provisioning sources and should not be processed in each option separately, as per the recommendation in Section 12 of [RFC7227]. --> 8) <!-- [rfced] Should any of the artwork elements (<artwork>) be tagged as sourcecode or another element? Please review <https://www.rfc-editor.org/materials/sourcecode-types.txt>; if the current list of preferred values for "type" does not contain an applicable type, please let us know. Also, it is acceptable to leave the "type" attribute not set. --> 9) <!-- [rfced] Sections 4.1 and 5.1: These definitions read oddly, as the items preceding the colon are not the field name, unlike all of the other field entries that follow each of them. May we update as suggested? Original: Option-code: OPTION_V6_DNR (TBA1, see Section 9.1) ... Code: OPTION_V4_DNR (TBA2, see Section 9.2). Perhaps: OPTION_V6_DNR: An Option Code (144; see Section 9.1). ... OPTION_V4_DNR: An Option Code (162; see Section 9.2). --> 10) <!-- [rfced] Figure 3: We changed the field name in the diagram from "ipv6-address" to "ipv6-address(es)" per usage in the rest of this document (e.g., "shown in Figure 3" in Section 6.1) and also updated the figure title accordingly. Please let us know any objections. Original: | ipv6-address | ... Figure 3: Format of the IPv6 Addresses Field Currently: | ipv6-address(es) | ... Figure 3: Format of the ipv6-address(es) Field --> 11) <!-- [rfced] Section 4.2: Section 18.2.5 of RFC 8415 does not explicitly mention the Option Request Option or "ORO". Please confirm that the citation for Section 18.2.5 of RFC 8415 will be clear to readers. Original: To discover an encrypted DNS resolver, the DHCPv6 client MUST include OPTION_V6_DNR in an Option Request Option (ORO), as in Sections 18.2.1, 18.2.2, 18.2.4, 18.2.5, 18.2.6, and 21.7 of [RFC8415]. --> 12) <!-- [rfced] Section 5.2: Should 'multiple DNR instance data' be 'multiple "DNR Instance Data" field entries' here? If the suggested text is not correct, please provide clarifying text. Original: The DHCPv4 client MUST be prepared to receive multiple DNR instance data in the OPTION_V4_DNR option; each instance is to be treated as a separate encrypted DNS resolver. Suggested: The DHCPv4 client MUST be prepared to receive multiple "DNR Instance Data" field entries in the OPTION_V4_DNR option; each instance is to be treated as a separate encrypted DNS resolver. --> 13) <!-- [rfced] Section 6.1: We see that Figure 7 has the "0 ... 1 ... 2 ... 3" ruler markers above the "0 1 2 3 4 5 6 7 8 9 ..." ruler lines but Figures 1 and 3 do not. (We're not sure whether or not Figures 4 and 5 would also apply here.) Would you like to place additional ruler-marker lines over Figures 1 and 3, and perhaps Figures 4 and 5? (For example, similar figures in companion document 9464 (draft-ietf-ipsecme-add-ike) all include the additional ruler-marker line.) Original (best viewed with a fixed-point font such as Courier): 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 --> 14) <!-- [rfced] Section 6.1: FYI, in Figure 7, rather than insert the value for TBA3 (144), we put the word "Type" to correspond to the text below the figure. Please let us know if you prefer otherwise. Original: | TBA3 | Length | Service Priority | Current: | Type | Length | Service Priority | --> 15) <!-- [rfced] Section 6.1: We changed 'Service Parameters field' to '"Service Parameters (SvcParams)" field' per the field name. Please let us know any objections. Original: SvcParams Length: 16-bit unsigned integer. This field indicates the length of the Service Parameters field in octets. Currently: SvcParams Length: 16-bit unsigned integer. This field indicates the length of the "Service Parameters (SvcParams)" field in octets. --> 16) <!-- [rfced] Section 7.1: We defined "CA" as "Certificate Authority" per companion document 9464 (draft-ietf-ipsecme-add-ike). If this is incorrect, please provide the correct definition. Original: The attacker can get a domain name with a domain- validated public certificate from a CA and host an encrypted DNS resolver. Currently: The attacker can get a domain name with a domain- validated public certificate from a Certificate Authority (CA) and host an encrypted DNS resolver. --> 17) <!-- [rfced] Section 7.1: It appears that "but cannot provide" refers to the endpoint, but does it refer to the mechanisms? If the endpoint, may we update as suggested? Original: The above mechanisms would ensure that the endpoint receives the correct configuration information of the encrypted DNS resolvers selected by the DHCP server (or RA sender), but cannot provide any information about the DHCP server or the entity hosting the DHCP server (or RA sender). Suggested ("endpoint can receive ... but cannot provide"): The above mechanisms would ensure that the endpoint can receive the correct configuration information of the encrypted DNS resolvers selected by the DHCP server (or RA sender) but cannot provide any information about the DHCP server or the entity hosting the DHCP server (or RA sender). --> 18) <!-- [rfced] Section 7.4: We see that "PSK" has been defined but not "WPA". Will this abbreviation be clear to readers? If not, how should it be defined? Original: If the pre-shared key (PSK) is the same for all clients that connect to the same WLAN (e.g., WPA-PSK), the shared key will be available to all nodes, including attackers. Possibly: If the pre-shared key (PSK) is the same for all clients that connect to the same WLAN (e.g., Wi-Fi Protected Access Pre-Shared Key (WPA-PSK)), the shared key will be available to all nodes, including attackers. --> 19) <!-- [rfced] Section 8: To what does "but does not" refer in this sentence - the mechanism, or the DHCP client or IPv6 host? Also, we see "mechanisms specified in this document" in Sections 3.1.9 and 3.4. Which mechanism is referred to here? Original: The mechanism defined in this document can be used to infer that a DHCP client or IPv6 host support encrypted DNS options, but does not explicitly reveal whether local DNS clients are able to consume these options or infer their encryption capabilities. --> 20) <!-- [rfced] References: We could not find a connection between the Unicode Consortium and the [Evil-Twin] Wikipedia page. If the "Possibly" text is not correct, please provide an appropriate URL for "Evil twin (wireless networks)". Original: [Evil-Twin] The Unicode Consortium, "Evil twin (wireless networks)", <https://en.wikipedia.org/wiki/ Evil_twin_(wireless_networks)>. Possibly: [Evil-Twin] Wikipedia, "Evil twin (wireless networks)", November 2022 <https://en.wikipedia.org/wiki/ Evil_twin_(wireless_networks)>. --> 21) <!-- [rfced] References: We could not find a connection between the Unicode Consortium and the [Krack] paper. Should author Mathy Vanhoef be listed instead? Also, please confirm that the provided URL is stable. Original: [Krack] The Unicode Consortium, "Key Reinstallation Attacks", 2017, <https://www.krackattacks.com/>. --> 22) <!-- [rfced] References: We could not find a connection between the Unicode Consortium and the [Dragonblood] paper. Also, the provided URL appears to be a personal URL. Will the currently listed URL remain stable? Is there a site related to the Unicode Consortium that also provides this paper? If not, should the authors (Mathy Vanhoef and Eyal Ronen) be credited? Original: [Dragonblood] The Unicode Consortium, "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd", <https://papers.mathyvanhoef.com/dragonblood.pdf>. --> 23) <!-- [rfced] References: We could not find any mention of Cisco on the provided web page. We updated this listing as noted below. If this is incorrect, please provide the correct title and the matching URL. Original: [dot1x] Cisco, "Basic 802.1x Wireless User Authentication", <https://openwrt.org/docs/guide-user/network/wifi/ wireless.security.8021x>. Currently: [dot1x] OpenWrt, "Introduction to 802.1X", December 2021, <https://openwrt.org/docs/guide-user/network/wifi/ wireless.security.8021x>. --> 24) <!-- [rfced] References: We see on the provided URL, under the "Versions" tab, that quite a few versions have been added since December 2019 (Release 16.3.0). Should this listing be updated? We see that the latest version (Release 18 / version 18.3.0, dated June 2023) also mentions "protocol configuration options" and "ePCO". Original: [TS.24008] 3GPP, "Mobile radio interface Layer 3 specification; Core network protocols; Stage 3 (Release 16)", December 2019, <https://www.3gpp.org/DynaReport/24008.htm>. --> 25) <!-- [rfced] Acknowledgments: We found this sentence confusing, as Section 7.3.1 of [RFC8310] says "... does not provide an authentication domain name for the DNS resolver" and "This document does not specify or request any DHCP extension to provide authentication domain names". The current text seems to indicate the opposite. Will this text be clear to readers, or should it be updated? Original: The use of DHCP to retrieve an authentication domain name was discussed in Section 7.3.1 of [RFC8310] and in an Internet-Draft authored by Tom Pusateri and Willem Toorop [I-D.pusateri-dhc-dns-driu]. Possibly *: An issue related to using DHCP to retrieve an ADN is discussed in Section 7.3.1 of [RFC8310]. [DNS-TLS-DHCPv6-Options], authored by Tom Pusateri and Willem Toorop, discusses ways to address the issue. * Per this text from [I-D.pusateri-dhc-dns-driu]: This document was motivated in part by Section 7.3.1 of [RFC8310]. Thanks to the authors Sara Dickinson, Daniel Kahn Gillmor, and Tirumaleswar Reddy for documenting the issue. --> 26) <!-- [rfced] Acknowledgments: Please confirm that, unlike the other individuals listed here, Rich Salz did more than one review ("secdir reviews"). Original: Thanks to Rich Salz for the secdir reviews, Joe Clarke for the ops- dir review, Robert Sparks for the artart review, and David Blacka for the dnsdir review. --> 27) <!-- [rfced] Contributors section: Per RFC 7322 (RFC Style Guide), we changed "Contributing Authors" to "Contributors". If desired, you can add some information to the Contributors section to describe their contributions. If Nicolai Leymann and Zhiwei Yan should be credited as coauthors, the following could be added (e.g., see RFC 9089). Please let us know how you would like to proceed. Original: 11. Contributing Authors Nicolai Leymann ... Currently: Contributors Nicolai Leymann ... Possibly: The following people contributed to the content of this document and should be considered coauthors: Nicolai Leymann ... --> 28) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide at <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>, and let us know if any changes are needed. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> 29) <!-- [rfced] The following term appears to be used inconsistently in this document. Please let us know which form is preferred. Encrypted DNS Option (1 instance - last paragraph of Section 7.1) / Encrypted DNS option (23 instances) / encrypted DNS option (1 instance - Section 8, Paragraph 1)* * As it appears that the option is of type "Encrypted DNS", we suggest "Encrypted DNS option". Also, some field names are quoted, but some are not. Would you like to apply a consistent style (i.e., all quoted or none quoted)? Please review usage, and advise. For example: authentication-domain-name field Option-length field Type and Length fields "DNR Instance Data" field "Addr Length", "IPv4 Address(es)", and "Service Parameters (SvcParams)" fields ... --> Thank you. RFC Editor/lb/ar On Sep 8, 2023, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2023/09/08 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9463.xml https://www.rfc-editor.org/authors/rfc9463.html https://www.rfc-editor.org/authors/rfc9463.pdf https://www.rfc-editor.org/authors/rfc9463.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9463-diff.html https://www.rfc-editor.org/authors/rfc9463-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9463-xmldiff1.html This diff file compares an altered original and the RFC (in order to make the changes in moved text viewable): https://www.rfc-editor.org/authors/rfc9463-alt-diff.html Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9463 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9463 (draft-ietf-add-dnr-16) Title : DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR) Author(s) : M. Boucadair, Ed., T. Reddy.K, Ed., D. Wing, N. Cook, T. Jensen WG Chair(s) : David C Lawrence, Glenn Deen Area Director(s) : Erik Kline, Éric Vyncke
- [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-add-d… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… Dan Wing
- Re: [auth48] [EXTERNAL] Re: AUTH48: RFC-to-be 946… Tommy Jensen
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… mohamed.boucadair
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… tirumal reddy
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… Neil Cook
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… Dan Wing
- Re: [auth48] AUTH48: RFC-to-be 9463 <draft-ietf-a… Lynne Bartholomew