[dhcwg] AD review of draft-ietf-opsawg-add-encrypted-dns-07
"Rob Wilton (rwilton)" <rwilton@cisco.com> Mon, 19 December 2022 16:53 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: expand-draft-ietf-opsawg-add-encrypted-dns.all@virtual.ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 410F6C1524C0; Mon, 19 Dec 2022 08:53:38 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341BDC1524BE; Mon, 19 Dec 2022 08:53:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.899
X-Spam-Level:
X-Spam-Status: No, score=-11.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=RcNGv+Fe; dkim=pass (1024-bit key) header.d=cisco.com header.b=nlZ9TA7r
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GJEpzzYSWSvM; Mon, 19 Dec 2022 08:53:34 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14CA9C1524BF; Mon, 19 Dec 2022 08:53:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7620; q=dns/txt; s=iport; t=1671468814; x=1672678414; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=Uy57xd7CEM4KC4+8WNXLpIO/3uAnLXoSlYDjmkTfHtU=; b=RcNGv+Fe1si7Q/6ns5fZ56j7OuKpK8L9QWXI9Tntblm8Sh4vG1f2Z7sT bByP5Nto8Dj768VR6DEsSEqNUAxbocvFWxLRW9ms9j67ExnVUWm8L7NIM SMyT3S/KXPoXXLmP4IO3XVkVA779IIIhsxsrfLtloXQjHIEk5iCjmYM4m E=;
X-IPAS-Result: A0AmAACIlqBjmIYNJK1aHQEBAQEJARIBBQUBQIE7CAELAYFaUoEFAlk6RYgaA4RQX4ghnA+BLBSBEQNWDwEBAQ0BATkLBAEBgVIBgzIChQ0CJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4VoAQyGWRYoBgEBJQQDCwERATUJQiYBBA4NGoJcAYMiAwEPq1cBgT8Cih94gTSBAYIIAQEGBASfHQMGgUABkSofHIFJRIEVQ4YHAoEZHgEQGj2DUYIujjCCbIZVZQqBPYEAgSU3A0QdQAMLOzIKQxQhF0wrGhsHgQoqKBUDBAQDAgYTAyACDSgxFAQpEw0pJmsJAgMiZgMDBCgtCSAEHAcmJDwHVjwDAg8fNwYDCQMCH1GBICYFAwsVKkcECDYFBlISAggREg8sQw5CNzYTBlwBKgsOEwNQgU8Ec4EaCgItKJoQgS0mTGQECzUTAhI5AiwlLQ0RGQ8kBjqMY4YMr2kKg26ZVYcnFqhGXpdCIKF2SoR0AgQCBAUCDgEBBoFiOi2BLnAVO4JnUhkPjiAJAw0Jg1CFFIVKdTsCBwsBAQMJiUoBJ4FSXwEB
IronPort-PHdr: A9a23:dW8XVh8xnbQkrP9uWCXoyV9kXcBvk7n3PwtA7J0hhvoOd6m45J3tM QTZ4ukll17GW4jXqpcmw+rbuqztQyoMtJCGtn1RfJlFTRRQj8IQkkQpC9KEDkuuKvnsYmQ6E c1OWUUj8Wu8NB1eGd31YBvZpXjhhQM=
IronPort-Data: A9a23:/+9rAKKTb9i6uD+8FE+R85UlxSXFcZb7ZxGr2PjKsXjdYENS0TAAz 2seWmDXP/rYMDSmc94natuz9h4EvcDczNNhTQYd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcIZsCCW0Si6FatANl1EkvU2zbue6WbCs1hxZH1c+En570EM7wIbVv6Yx6TSHK1LV0 T/Ni5W31G+Ng1aY5UpNtspvADs21BjDkGtwUm4WPJinj3eC/5UhN6/zEInqR5fOria4KcbhL wrL5OnREmo0ZH7BAPv9+lrwWhVirrI/oWFih1IOM5VOjCSuqQQO0YcXOtczOXwPgm3T2I8om chdtLaZHFJB0q3kwIzxUjFRFyV4eKZB4rKCeCL5us2IxEqAeHzpqxlsJBhpZstDpKAuWicXr qBwxDMlNnhvg8qs37O/Vu5qrs8iN8LseogYvxmMyBmDXat9HMybH80m4/dGwjw5i4dAGMz7J NAQVwNUUx7JWjNQbwJ/5JUWxbf02SaXnydjgFWNvqMo7EDSwRB/lr/3P7L9dsaDS9kQn0uEq CfB53/wHR5fPdCTjDeD+Wi9nvPCkWb3XplUHbm83v9nnFPVwXYcYCD6TnOypf2/z0W5Qd8ac hZS8Ss1pq90/0uuJjXgY/GmiEKHnzISdvUAKLUzsFvKlfOF/haYLEFRG1atd+canMMxQDUr0 HqAkNXoGSFjvdWppZS1q+z8QdSaZHV9EIMSWcMXZVBeuoC8/unfmjqKH4g9T//s5jHgMWuoq w1muhTSkFn6YSQj/qG/8Favb9mE+cWRF1VdCuk6oguYAu5RbYqhYcmj7kLWqK8aao2YVVKG+ nMDnqByDdzi77nTzkRho81UQ9lFAspp1hWH2DaD+LF6rVyQF4aLJ9w43d2HDB4B3jw4UTHoe lTPngha+YVeOnCnBYcuPd3oUJR6l/K/RYq4PhwxUjaoSsUtHONg1HwxDXN8I0ix+KTRufhlY MzCIZrE4YgyUP43llJauNvxIZdylnxhmgs/tLjwzg+s1vKFdWWJRLIeWGZinchnhJ5oVD79q o4FX+PTkk03eLSnPkH/r9VJRXhUdidTOHwDg5ENHgJ1ClA4SDhJ5j646e5JRrGJaIwOz7iSo S7sAh8FoLc97FWeQTi3hrlYQOuHdf5CQbgTZETA4X7AN6AfXLuS
IronPort-HdrOrdr: A9a23:1XOUMKtyTKfyj1WaRhX+lg/B7skCzoMji2hC6mlwRA09TyXGra 6TdaUguiMc1gx8ZJh5o6H7BEGBKUmskaKdkrNhQItKOzOW8ldATbsSprcKpgeAJ8SQzJ8k6U 4NSdkdNDSSNyk2sS+Z2njCLz9I+rDum8rE5Za8854Hd3AMV0gU1XYBNu/tKDwReOApP+tdKL Osou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/H+VwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1lXU849dlLLau5R+7Y23+4YowwfX+0aVjbdaKv6/VfcO0aOSAWMR4Z jxStEbToFOAj3qDyWISFDWqnXdOX4VmgDfIBmj8DzeSQiTfkNiNyKH7rgpNCcxonBQwu1Uwe ZF2XmUuIFQCg6FlCPh58LQXxUvjUasp2E++NRj+UC3fLFuHIO5l7Zvi399AdMFBmb3+YonGO 5hAIXV4+tXa0qTazTcsnN0yNKhU3wvFlPeK3Jy8vC9wnxThjR03kEYzMsQkjMJ8488UYBN46 DBPr5znL9DQ8cKZeZ2BfsHQ8GwFmvRKCi8eV66MBDiDuUKKnjNo5n47PE84/yrYoUByN8olJ HIQDpjxBsPkoLVeL+zNbFwg2PwqT+GLEXQI+llluhEhoE=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.96,257,1665446400"; d="scan'208";a="28535404"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Dec 2022 16:53:29 +0000
Received: from mail.cisco.com (xfe-aln-003.cisco.com [173.37.135.123]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 2BJGrTjo025729 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 19 Dec 2022 16:53:29 GMT
Received: from xfe-rtp-002.cisco.com (64.101.210.232) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Mon, 19 Dec 2022 10:53:29 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Mon, 19 Dec 2022 11:53:29 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MilXCFkJRSFCiAft+4R/Ii4P7D0m6s0OwWwk90rvfUbeXweU2esMGiFpTTkU+/HmM5L/LH/B2rqBEYHluwKOnwZDwPhPkxIGvf8lDVJ7f/IIUcEOY6pPOBN5qGoDNgNppPxv1PEMC//nb9RqEZHnZ+0wqJUFuG6KNLBr4BUr3LtWG+Ydti+G8PHAIruJBRaA/5PCR9hc3OcYBxx3pv8jYwyyQdF2vZVwGZ1lFMqYcpRHiR6kD6n4JgBxjKHbzLH7Acx9N++8fcxHiz+pZhoXVaHRRK7Z7Jc5o9qSm23UlWRKSPk+Oo2WGOO61jskbidQMFHPVZSusa7DalDMlX83sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9eIO4SLcQbmyayPLxiGnP5M59aX0FkPTI246W4Z5KGU=; b=KMGBG4deFokQXfOVolMVqy2oRBJBD3f83znnMPqtEsOAqi+L7zyO3CmikG7KXmoqxlpZORkhmODGPG95VWpM72fuJUBlvFpe2GkK0lDtlG6Hgh5F3UQQK6tPtN5/76pSAGex7o1wGMJKBjx7Bq5Sd3RXV4MZflYWKgZdzEguA4zvhrxcjBC9dDadZ1MkofzeW6YdfV7z+b3oZ9yEviUoJlplo95c05ilN7OyPhoo0FcuRRn4cM7ZY7ya32Tt5lhm8n2lWf2FmvaUhUg7Oifdk80fp7E+HLeecxe/fIBTol+R+e4jchlFkwFx6qZQbfL5OeJxXRp5LamRAml3ff3cxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9eIO4SLcQbmyayPLxiGnP5M59aX0FkPTI246W4Z5KGU=; b=nlZ9TA7rUd0tV3itCqlK/7OXNwSMK440xt0qCRyYoG3zWR2fzxQN31mM6JsP+4sOda+I/L89fkywF+v0t1ers/gb4FIt9D31KD9ZV8lLKsVHGW1Rm/kcywFFokA2cOURh3xYus3xtQu3ZG7jnz4UV9FC1XDidoeRL3UfU/3ZO9U=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by MN2PR11MB4646.namprd11.prod.outlook.com (2603:10b6:208:264::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5924.16; Mon, 19 Dec 2022 16:53:27 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::39ca:2d87:558d:9c17]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::39ca:2d87:558d:9c17%4]) with mapi id 15.20.5924.016; Mon, 19 Dec 2022 16:53:27 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "draft-ietf-opsawg-add-encrypted-dns.all@ietf.org" <draft-ietf-opsawg-add-encrypted-dns.all@ietf.org>
CC: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: AD review of draft-ietf-opsawg-add-encrypted-dns-07
Thread-Index: AdkTyYf4WW79bmtwQoGOi227i49tLg==
Date: Mon, 19 Dec 2022 16:53:26 +0000
Message-ID: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|MN2PR11MB4646:EE_
x-ms-office365-filtering-correlation-id: ede0da99-65dc-458b-e471-08dae1e18caf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yOmYdJSTi8Gdy9Qv+NoZaGO/loUxcZUQImKaFKhmGQZpd5l36U+q4/ZfWfi5qR5rCGWQiUdcbUHkjmG1Ephkx/ybV2GE0XOx3pf7aiFja5EVQZJJWFsl1gv3VxMeAc21n+y/gdRHm928fIKjVVN3eoyt6zOXOJp6jASj2tQvttYOR2RpKNfZtPJPUaAPGJIyZhp8B8RipMBIyfhWw8+gp7+TMMyoFhz4gbMaZwGrZe8OpHFowHX5vCydO5xEpkVKZv3Dzo8BjHs6rR3Y8frY1dpqu6z31z7R83Fvjn4qFju1t1OxtJSrN9nXtL792SXuXsJEFMTQUgwFE1CsJ3UOqbc2Pm0KGIjyhsvsAQtSFS3y2WCO+JuK9zS/UkkszODpfti7GqaXsOTRHDXx0b60mdtVkowKHI9hRuTtrHMaPY2M1bjhsfp5W3lqT7ob/lixE/9vLPrTU34FOYnbKDFHunj/0NvEhal5phlajVFVXOuuLrwmeWG/G+K+APQh1/IvOC684WE2EegZ9WTFzv06ACJ/YdbqWshfu1UT7IE92JIJryWvEGP6X+wIm9yARqUo4Oa6y9B1k+wx4UyPTooY2tLrg9e1TB0GJTVOZ8qc4jP8afdgUjTvp5HmQmsywsTzpBzTWeT6xNqFynpqNUfvU7xLfPZGe6MzA785jix1c6b4oiCF/c0l04LsvI63V1ILuGxWbifRm8rNlr8i4wUg0AuG8K4zBuPkL5SJ9VbsbUM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199015)(9686003)(186003)(66476007)(450100002)(66946007)(64756008)(4326008)(76116006)(71200400001)(478600001)(52536014)(41300700001)(33656002)(8676002)(2906002)(55016003)(86362001)(83380400001)(5660300002)(66574015)(8936002)(66446008)(66556008)(122000001)(6506007)(6916009)(316002)(7696005)(38100700002)(38070700005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PdJ+lxxD5p0Y9AUdQll20ngcwrlxRBl8aaznRV0iM8FM5nY0X6wvtUTE5iQoiWJuFLD6in+ODpRSaQkRyH9lRjTIMskcRDBmtR5YhWX/Rb3g3ZOX9F/7dcxWxnfj2Lt57xR3KipTQ6TC5Lz7vmS+WWvqkX5M9sigD6Ul/LFY+wrZJOjuY7ulpKahVBEFLx5Acq3MahZ+GEurTPypTORMRmvUlz11gCnPlB2hR2EalS3r+iMesw5oLgSCzekVeQ+78hEmxYP4lQSMKqeKE+HEzilpvGEBpLhg70W1EQ/y8Rn9EpcTJY1Tp2sLamc3CjN9Z7l0QWOcmf75F9uh0pgLOSYL4L2V6+4kU3mnbF+WIlc/49CeG7JrR8oPLdzQ4VQJIn/AYhLHbM38O5SPpLRpIpIG3o+cJa5Miq96efLibG5gX1Kz2mlUod7JZP7ZScp0ej4LSe2g7R+guUw6u2yV+gEVJdN+z4rekwMAQMQvgqhFmZhO0pTKKftMdIn2uh9BB9Z1fZG5cmjS9bb990VHn1/tPLtKyyIOchgBlrowrh2yLyqMJd5TILFj4w4URAYMaTUKGSvHWG5BlZVsEjqt7UJxyGz5eNcYw1HCGizK4BkgwShEstDf+0PHI0UH2+UupsKSEmMSGOqsIegDaD/Ycv1WbEIqAwzQOHcs7ar9llhgwaF2AtxwzUO4mjrtATTQFPeJENMXcYX7Gjugnf1k1Y0XOCe+bIXWPjzOkqbxJds7LceI0faBdxMaIbIOH2h1jIb+pQZH9xtusg88SmROwpHolGTA2LpxeflLK5qNtarr5EpJWPcREua8Twkl/HIa/mWukAysiKb/QUKiJcLW8ohvGna3c8ymlA+zoJa6s6Go3YEy7N5gnM7S2G705+S23MPsoTHxH/DcskGgO2eUPqBnlF02KJf81lb8alvHKXr5ZlLY+h/FCa9m2TLlp9JbZeu5K3NMf+SWiX5Hzayi+5fuESO8QnH7f8GkEQJsK+KI5U3k6HgpzyYffLBolNhaE7VK3Wbx6X9i7LSJ4MmViy7ggWp39PsGK5oxAaOaYe1oekTP7ofvuNMoYkAbito/NcVBfySvCviEr7LaQK9FrpM9s/gud/brUO8Nkom6KhnbkKZzj8D8Lt9sAMNNN89L7uzBYfYvblSgOX4R71nOSLZzDFnF6eUD+PdiDiL94UmL/8A3bunS7lGpl2XBBRq6MALmedUMizvS3s7G0Ue3I/HlcW4Y8Myq33cGX7x1ojin5+Na91RYhyGLyVfCVzb7eIdd7oUX6hDivglm/UPEloLaj/byYEs0BUoFsj1pSZhdWtXbKTt+aKrjEMlh6FerfxOdSmDBj1X4Wguadis6AwosrdxSvrHs2YROSR1Xs1RCwxgrFYo+zmipyIIavPMmoPX/Ghm5NqyI85vbznTW6ZotqlWNEmZfccl9Q+3zr1cdp4qlqBjLZ1MvEeui11ZgaX/tLyZ/L9CO4vQnxTkLSorDjnWtbZnPhSoJq3XDWexCTBSHYSwuNRDYnLN1Lcy8EznfrH43Nr3HKJnKol1UGEw8oPfDDYXv6iJGB9L2qkjpm4wPBObJp53GYKbURLtkzsJJqA6EtSiUcLGqB/msE+hrj09F8F4sq3TpMOy7A9MFwZUHTtjSIYH20EnJdjyC
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ede0da99-65dc-458b-e471-08dae1e18caf
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2022 16:53:27.0262 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GoBkbdyZCi4JKwK45HD/c8h1sG415bX5SB9rHSe1KZF9qvfWl9Kga0IFKwYUn6z7E6EFWN1mwFyqVS2HJs5Rrw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4646
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.123, xfe-aln-003.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Resent-From: alias-bounces@ietf.org
Resent-To: zhoutianran@huawei.com, jclarke@cisco.com, warren@kumari.net, henk.birkholz@sit.fraunhofer.de, bevolz@gmail.com, rwilton@cisco.com, dhcwg@ietf.org, mohamed.boucadair@orange.com, aland@freeradius.org, kondtir@gmail.com
Resent-Message-Id: <20221219165338.410F6C1524C0@ietfa.amsl.com>
Resent-Date: Mon, 19 Dec 2022 08:53:38 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/3TtwCiO-0IxjI1yWSVpwrx7JDKc>
Subject: [dhcwg] AD review of draft-ietf-opsawg-add-encrypted-dns-07
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2022 16:53:38 -0000
Hi, Thanks for this document. Here are my AD review comments for draft-ietf-opsawg-add-encrypted-dns-07 Moderate level comments: (1) p 2, sec 1. Introduction This document specifies two new RADIUS attributes: DHCPv6-Options (Section 3.1) and DHCPv4-Options (Section 3.2) Attributes. These attributes can include DHCP options that are listed under the IANA registries that are created in Sections 8.4.1 and 8.4.1. These two attributes are specified in order to accommodate both IPv4 and IPv6 deployment contexts while taking into account the constraints in Section 3.4 of [RFC6158]. It isn't really clear to me why some of the registries are needed, specifically the ones in 8.4.1 and 8.4.2. Why not allow any v4 or v6 DHCP attribute to be carried within the DHCPv6-Options or DHCPv4-Options field? (2) p 4, sec 3. DHCP Options RADIUS Attributes Absent any explicit configuration on the DHCP server, RADIUS supplied data by means of DHCP*-Options Attributes take precedence over any local configuration. This point may be worth discussing. Naturally, I would explicit configuration to a network device to generally take precedent over implicitly learned configuration from the network. (3) p 6, sec 3.2. DHCPv4-Options Attribute Permitted DHCPv4 options in the DHCPv4-Options Attribute are maintained by IANA in the registry created in Section 8.4.2. Comparing this text to the description for v6, this description is silent on whether multiple instances of the same DHCPv4 option MAY be included. Should that be specified here? (4) p 10, sec 7. Table of Attributes The following table provides a guide as what type of RADIUS packets that may contain these attributes, and in what quantity. Am I right that this is just a duplication of what is described in section 3? If so, perhaps change "guide" to "informative guide" and include text to refer back to the canonical definition in section 3. (5) p 13, sec 8.4.3. Guidelines for the Designated Experts Registration requests that are undetermined for a period longer than 28 days can be brought to the IESG's attention for resolution. I'm wondering whether we need the process related text in this document at all, or whether we let IANA apply their standard policies? I may be misinformed, but I'm not aware of many *-review mailing lists. (6) p 15, sec 10.2. Informative References [I-D.ietf-add-dnr] Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. Jensen, "DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)", Work in Progress, Internet-Draft, draft-ietf-add-dnr-13, 13 August 2022, <https://www.ietf.org/archive/id/draft-ietf-add-dnr- 13.txt>. Should this be a normative reference? E.g., if feels like the IANA registry values are bound to whatever is published in ietf-add-dnr. Minor level comments: (7) p 2, sec 1. Introduction With the advent of encrypted DNS (e.g., DNS-over-HTTPS (DoH) [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) [RFC9250]), additional means are required to provision hosts with network-designated encrypted DNS. To fill that void, [I-D.ietf-add-dnr] leverages existing protocols such as DHCP and IPv6 Router Advertisement to provide hosts with the required information to connect to an encrypted DNS resolver. However, there are no RADIUS attributes that can be used to populate the discovery messages discussed in [I-D.ietf-add-dnr]. The same concern is likely to be encountered for future services that are configured using DHCP. >From this introduction, I thought that this would be covering options for both DHCP and ND, but it looks like only DHCP is covered. Perhaps this introduction text could be tweaked slightly to make this clearer? (8) p 3, sec 3. DHCP Options RADIUS Attributes These attributes use the "Long Extended Type" format in order to permit the transport of attributes encapsulating more than 253 octets of data. DHCP options that can be included in the DHCP*-Options RADIUS attributes are limited by the maximum packet size of 4096 bytes. In order to accommodate deployments with large options, implementations are RECOMMENDED to support a packet size up to 65535 bytes. I didn't find this text clear. E.g., limit is 4k but should support up to 64K. Which implementations should support larger packet sizes? Is this RADIUS implementations? (9) p 5, sec 3.1. DHCPv6-Options Attribute This field contains a list of DHCPv6 options. Multiple instances of the same DHCPv6 option MAY be included. Consistent with Section 17 of [RFC7227], this document does not impose any option order when multiple options are present. Is there any requirement to merge multiple instances of options together, presumably they are logically just concatenated today. (10) p 5, sec 3.1. DHCPv6-Options Attribute Permitted DHCPv6 options in the DHCPv6-Options Attribute are maintained by IANA in the registry created in Section 8.4.1. As per above, presumably there isn't just an DHCPv6 options registry that can be reused rather than needing a separate one to be setup and maintained. (11) p 6, sec 4.1. Context The RADIUS Attributes suboption [RFC4014] enables a DHCPv4 relay agent to pass identification and authorization attributes received during RADIUS authentication to a DHCPv4 server. However, [RFC4014] defines a frozen set of RADIUS attributes that can be included in such a suboption. This limitation is suboptimal in contexts where new services are deployed (e.g., support of encrypted DNS [I-D.ietf-add-dnr]). I like 'suboptimal', very diplomatic. ;-) (12) p 8, sec 5. Applicability to Encrypted DNS Provisioning Figure 1: An Example of RADIUS IPv6 Encrypted DNS Exchange As a minor comment, I wonder whether it would be helpful to also include RADIUS client in the NAS box description? (13) p 12, sec 8.4.1. DHCPv6 IANA is requested to create a new sub-registry entitled "DHCPv6 Options Permitted in the RADIUS DHCPv6-Options Attribute" in the "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry [DHCP-RADIUS]. Do we need to define the definition of columns for this (and the v4 equivalent) registries. E.g., do the values need to match another registry? (14) p 12, sec 8.4.1. DHCPv6 Table 4: Initial DHCPv6 Options Permitted in the RADIUS DHCPv6-Options Attribute Is 144 (and 162 for v4) a permanent IANA assignment? Or should the value be bound to that allocated by draft-ietf-add-dnr. Nit level comments: (15) p 2, sec 1. Introduction This document specifies two new RADIUS attributes: DHCPv6-Options (Section 3.1) and DHCPv4-Options (Section 3.2) Attributes. These attributes can include DHCP options that are listed under the IANA registries that are created in Sections 8.4.1 and 8.4.1. These two attributes are specified in order to accommodate both IPv4 and IPv6 deployment contexts while taking into account the constraints in Section 3.4 of [RFC6158]. Nit, "Sections 8.4.1 and 8.4.1", presumably should be 8.4.1 and 8.4.2? Regards, Rob
- [dhcwg] AD review of draft-ietf-opsawg-add-encryp… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Alan DeKok
- Re: [dhcwg] AD review of draft-ietf-opsawg-add-en… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Alan DeKok
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… mohamed.boucadair
- Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsa… Rob Wilton (rwilton)