IETF Logo Mail Archive

Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07

"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 08 February 2023 19:38 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: expand-draft-ietf-opsawg-add-encrypted-dns.all@virtual.ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id E42C6C151535; Wed, 8 Feb 2023 11:38:51 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76DDC1575A1; Wed, 8 Feb 2023 11:38:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.895
X-Spam-Level:
X-Spam-Status: No, score=-11.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="ZOG7anGk"; dkim=pass (1024-bit key) header.d=cisco.com header.b="cwN+QqQK"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1I5MiCQbUwTS; Wed, 8 Feb 2023 11:38:47 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A61C151535; Wed, 8 Feb 2023 11:38:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7198; q=dns/txt; s=iport; t=1675885127; x=1677094727; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=F/lKSfTx9l/BjW6PbtzHE9f3l6cfQyJB64k8lkak2/E=; b=ZOG7anGktMeutY1p/X6lmncinmlA5B37SomzD0iEQG/0yPYDA1c5Pt2Q Qgo4ooqU9EyuKDLc244NFGLMv4wQyQVV5Qfxw5RqFxZtlODUfKicete4X hFqCQUpPCruUJaW3A4JqVv8WQqBZ7h0fgaAMF/Y5XCo4fFtOzem3hFA6v c=;
X-IPAS-Result: A0ADAADd+ONjmI0NJK1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIE7BQEBAQELAYFaUoEHWzpGiB4DhFBfiCEDnBWBLIEcAwYDVg8BAQENAQFEBAEBgVoBgzIChScCJTQJDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4U7BicNhlUBAQEBAgESKAYBASUSAQsEAgEIEQQBAQEeEDIdCAEBBA4FCBqCXIMAIwMBoA0BgT8Cih94gTSBAYIIAQEGBASfHwmBQAGMX4RHCB8cgUlEgRVDgmc+gmICAoE1ARAahA+CLpUrCoE2doEkDoFEgQsCCQIRc4EZCGxxNwNEHUADCzs6PxQhCwslBQQ/AQUCDx82BgMJAwIhSoEcJAUDCxUqRwQINgUGHDQRAggPEg8GJkMOQjc0EwZcASkLDhEDT4FJBC9EgRwCBAEpJpkfAT0mBEMyKwEBLB1TGw0gBwMLkjwUU5wDlAkKg3WhDhaDeYxil3ZelnVdoneEdwIEAgQFAg4BAQaBYjqBW3AVO4JnUhkPiViESAkQCYNQkk51AjkCBwsBAQMJiVIBJ4IxAQE
IronPort-PHdr: A9a23:xyWH8R/lqsKEDf9uWCXoyV9kXcBvk7n3PwtA7J0hhvoOd6m45J3tM QTZ4ukll17GW4jXqpcmw+rbuqztQyoMtJCGtn1RfJlFTRRQj8IQkkQpC9KEDkuuKvnsYmQ6E c1OWUUj8Wu8NB1eGd31YBvZpXjhhQM=
IronPort-Data: A9a23:GCQOdaL1d/1ju12AFE+RE5UlxSXFcZb7ZxGr2PjKsXjdYENSgzBSn WMZWj2OOv3bNzSjct0jOojk8h9XuJLQxtViSQId+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcIZsCCW0Si6FatANl1EkvU2zbue6WbGs1hxZH1c+E3970UI7wYbVv6Yx6TSHK1LV0 T/Ni5W31G+Ng1aY5UpNtspvADs21BjDkGtwUm4WPJinj3eC/5UhN6/zEInqR5fOria4KcbhL wrL5OnREmo0ZH7BAPv9+lrwWhVirrI/oWFih1IOM5VOjCSuqQQQ4OUxNMEBUn1FtCvOsdlq5 ucXnpOZHFJB0q3kwIzxUjFRFyV4eKZB4rKCcT60sNeYyAvNdH6EL/dGVR5te9ZGvL8sRzgSr JT0KxhVBvyHr/ipwbanTe9EjcU4J86tN4Qa0p1l5WuEU614G82ZK0nMzfZU9j0c2sRsJ6uEd /gpLiReThecTxIabz/7D7pnzLv32RETaQZwr0qOrLU4y2ne0AI316LiWPLZYNWEWYBUk1qW4 2Xe5G3mDVQTONDaxDyO6GO0muLD2C/9Q8QbELmQ9/N2jhuU3GN7IBQSXF23ifW0kkq5StNZJ FYd9isztu4580nDczXmdxS8pHjBtRkGVp8AVeY78wqKjKHT5m51G1ToUBZjWp8stPQrfgY46 UHOsdryKw41m7K8HCf1GqivkRu+Pi0cLGknbCACTBcY79SLnG3Vpk+TJjqEOPPp5uAZCQ0c0 BjR9nZg3+R7YdojkvTkpQub2VpAs7CUFlZd2+nBYo6yAuqVjqaKfYWu5RDj9/9BNoeUJrVql CdZw5XEhAzi4G3kqcBgaOwJGLfs7PGfPXiMx1VuBJImsT+q/hZPnLy8AhkjdS+F0e5dJlcFh XM/XysKv/e/21PxMcdKj3qZUZhC8EQZPY2NugroRtRPeINtUwSM4TtjY0Wdt0i0zhdxwfFmY cvCLJn8ZZr/NUiB5GfoLwv6+eJ1rh3SOUuILXwG5039iOHHNCL9pUktYQDXBgzG0E90iFyFr 4kAXyd74x5eS+b5KjLG6pIeKEtiEJTILc6eliCjTcbaelAOMDh4U5f5mOp9E6Q7xP49vrmTo RmAtrpwlQCXaYvvc1vaMxiOqdrHAP5CkJ7MFXV2YgvwhSZ7MdrHAWV2X8JfQITLPddLlZZcJ 8Tpse3ZahiTYlwrIwggUKQ=
IronPort-HdrOrdr: A9a23:vCRBK6x03xe9rYXhBh9uKrPxmOskLtp133Aq2lEZdPULSKKlfp GV88jziyWZtN9IYgBdpTiBUJPwJU80hqQFnrX5Wo3SEDUO2VHYYb2KiLGC/9SOIVyHygcw79 YDT0E6MqyMMbEYt7e03ODbKada/DDvysnB7o2yrwYPcegpUdAb0+4TMHf9LqQCfng+OXNPLu v72iMonUvERV0nKuCAQlUVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1kjegIK5Y1n3X nOkgT/6Knmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3TRY0eTFcRcso+5zXIISdKUmRMXeR 730lMd1vFImjDsl6eO0FzQMkfboXATAjTZuCGlaDPY0L3ErXQBepN8bUYzSGqD16Lm1+sMiJ 6jlljpx6Z/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5ACAYUh5bD30XklZqvoJhiKobwPAa 1rFoXR9fxWeVSVYzTQuXRu2sWlWjA2Eg2dSkYPt8SJ23wO9UoJhXcw1YgahDMN5Zg9Q55L66 DNNblpjqhHSosTYbhmDOkMTMOrAijGQA7KMmiVPVP7fZt3cE7lutry+vE49euqcJsHwN87n4 nASkpRsSood0fnGaS1rep2G9D2MRGAtBjWu7RjDsJCy87BrZLQQF++dGw=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.97,281,1669075200"; d="scan'208";a="25636252"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Feb 2023 19:38:46 +0000
Received: from mail.cisco.com (xfe-rtp-002.cisco.com [64.101.210.232]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 318Jck2m004829 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 8 Feb 2023 19:38:46 GMT
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Wed, 8 Feb 2023 14:38:45 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Wed, 8 Feb 2023 13:38:45 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kqPR3eEWpRZoQkBuZfr72DFe3IP8jFnqpClpFboWUfC/YWoNTwpmCteOgOO5TUDnOk6eqOJWmcm9mPyzFFhmZVK0WZ5WKayyZzs6jDNvcy2iIJgxaOo3OCOFF/YotzMWSl51IbYLQkB5MiVItCPhabwGQuIAQzqUoqYQgZ45rDo3Yd0ABAjkMn9PE43rHF/IldN+p9E4o5MXJrHyBN7A6uRpI6ej0v/M1kh6sm8eolYNThgIYThGNY8SkEgvJR2XY932cLVzYmMEMkVu33G0ENgHJxuJB1CG0eq7ijcslvtr14OTrh8PPNEzd8OHHnSNcKY/gpF1naE+myQlOQ0snQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Z897KIk958YZ3+80RIvXxk4qDfyraByf/lqZKPeCFUA=; b=Esg25KvMjWswdCydonsMhKezZ0I9iRSwR4ipqi8DBcFzJjKdP1SYdadKjSdHuGl7ZrOgAMdMnDmkoVkt8UJONcewCb94sCmWIkAZ2Tfx70x62/J+fSXJx+AayAYSn9nnJcYpbaP/WYD0a4lQDMtKJhxY3ty4NS7G9a7hpmC013H+HFyVHFpu/AHsE8U3o143hQZe8bgDJGxTiz4ZxuJqXPs7M4baLRhHn5YT2HM/NtuaivwVc7JytqCJapw83HRKQBqZcNcmFhFb1V7oUYZzSs5Z7vvS4VBdepdPXJ+uGGslSXDKHSj5waU4/wdL8d68D9tAYDxl8vR9wVpj2nTltA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z897KIk958YZ3+80RIvXxk4qDfyraByf/lqZKPeCFUA=; b=cwN+QqQKg+d/UsZlHc//9pU4sjn/uBiy+5UZm6HkIdgoILFTw5oL5rUc4+VAu7HIRgf85AUhYjo8VlMaPYLSB0iTRBKkFF0T2fGGtgYRBmwab3lxqONVe8hsaNEK4rlKLaQAh0vg4sWkoE4q21uueV8R3LSLHq0y/LOBKW94PFo=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by PH8PR11MB7141.namprd11.prod.outlook.com (2603:10b6:510:22f::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.25; Wed, 8 Feb 2023 19:38:38 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946%7]) with mapi id 15.20.6086.017; Wed, 8 Feb 2023 19:38:38 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Alan DeKok <aland@deployingradius.com>
CC: "draft-ietf-opsawg-add-encrypted-dns.all@ietf.org" <draft-ietf-opsawg-add-encrypted-dns.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
Thread-Index: AdkTyYf4WW79bmtwQoGOi227i49tLgAA5RyACgBS4TA=
Date: Wed, 08 Feb 2023 19:38:38 +0000
Message-ID: <BY5PR11MB4196BB5D2805639398D344B5B5D89@BY5PR11MB4196.namprd11.prod.outlook.com>
References: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com> <EDA5C486-7261-4668-ABF0-83871D9E1E2B@deployingradius.com>
In-Reply-To: <EDA5C486-7261-4668-ABF0-83871D9E1E2B@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|PH8PR11MB7141:EE_
x-ms-office365-filtering-correlation-id: 1378d4c0-2fc6-42a6-1a6a-08db0a0c134e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 41xAC2lVc0wtEwHc/i6ae5z3EBaY7R0d/lrmTx+p7U7orLn9GR2jhu5rsHtQLAa5O6cykwG63KA4kLgCJVTo8C9SdNjcRp+Se3xMxYwJz486dUl1u2KzIQXCZiwCahOhi6170vVRPW2j6Hd7jzID3m5bbFzQlb7B8PKKqOX2x6rmyo9S60nNpVM+qEOZwuDznJvxacOIWh+emVOhyDIKhAy1L6/o2jYr8Pi+r5okteKxTnxaR5tS0N0DwkoLowZTBlD0NEdPyYYtUqNN2tPoyxDE/WevHS/jCzMMLkFDHiNzWqDa9QC8lLAuuXHEo0iFNnvFJ9FCnQ7sV4yOFafxyoFQLqDYqT6Gb5h3glsl014u7RclfDq61pPd3M4l2hOVaSWYTTTSUVW+8GgHu6xnNMk0qOHfoRzulV//uWp7bP5x3C6UpDaqwOjLT8lOKzYXq/e3gOi0B4SNNu4RZTW/yBkCCyO6w30tLxD/Qbxd12etYpBQb2bCmJPOEfwxxuzXeQqPYLaaWVpqsvvge5m0DiZrB1Ib4eL6hnhn05LZSqnz39KUF2gV6nZsUGkRRUGozbpn0bO6r+JYGhEc+oj6DxoF6ZVVS+vnUn/4d32Zr4uD55hgbCNCLVRZkEHS4e0C0OfmYuCdbRcoDT/Bg5C/Cbt2WtIqaH2OPLEzlbguKmCs3jv5fB9qDRf3flHMzEJ8gHXyQibxCTWWtty1NS7JZQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(366004)(396003)(136003)(376002)(346002)(39860400002)(451199018)(5660300002)(2906002)(8936002)(86362001)(52536014)(122000001)(4326008)(6916009)(38100700002)(41300700001)(66446008)(66946007)(76116006)(66476007)(66556008)(8676002)(64756008)(55016003)(7696005)(71200400001)(26005)(54906003)(83380400001)(9686003)(38070700005)(316002)(53546011)(186003)(478600001)(6506007)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Cls2+PFnZKzwxoIJKs+nImyg8SwBrhle+Jp8OoTPIkpkrm/sFY+YCggVcKbgXCya9cOOeDuQcYNB9oAQkvopwRXNvIhqaQWiOkTR5Ytgq7H7MFQOue/+8yn6YysCocDta+VMlU4mKnVxeA1DhcH75iBxjCURH2jVLqn5WyaEXAGKSAQEzwGE9BgxXRTmKA3z3HWOQCojvzIB6Fj+l+3pzGPP0yc4mAaAGQz+LKlv31LmqscOnILzv1130I5DHOJ35tFwDUZnhWeacergjQH4VmleV23EYCVsTLH8SDPIc3TFDPkscaMNSCQ6GwndjvmZOu3gtocuS0yXTrVcP5lJXShIRJ7HCcpKBtsQn3FufsJdXFdFNumTGCIaaN6EWwl8TvRzRsVBj0ULusuCv1/CGBfy8OfpBLtiLYG5C76D4ag7Tx1OKACGUO96TittY9Aqx6F2AUh4aXV2q7ZCi11sOMDu3RPKthM8crGzPmD919NvDsnvKvOkPL9SPLGP2GKBKx+HaTvG57/TQVdtt8hK9UcNM8pBdTS+aOEuMpGpZTTub2Zi2brdJNuD+mouT3ZuS8j5hpyvFDB/jL1a/dByfEjFF3LowNoRZiyoee9svacAhsDjgML4V0TqbYyRC6IEwzgCXfiH1/gFxZ94e1Emnb3QSth685xDtNQEPKmbD6v+89Z3yEbzjKqaIMR+5fKU0nYG219lZn5UDsaUJ2u3s9vcbXniauPqSTPH59p1rPsFjselbLzdGB6Dm5yCBNrn36wvqv5tmAQwZonY1LiTXFeXlG4OEV7LqEJ5/C1STmJAXSKAJJzsJH0i35tQ4EPQKE67mMX0XfHG6On/irlpo7v5U4qt9ZVbTdJJonJOcW96i2FX7ixy3JbKORg69igTae9xEwsDehDuQ9CoCBAdb6AzuzAM6ZZnAYIb4V+KX/pzGRLL0H/DAjl1fyKUvzqdm8NhQ97CfEBWhociFXDkmUIkT0N8ual083P43zDW7mT2RbWrjLAKD7DqblXw8ByOdL2igaGhvmumv1APhXMV8mmzNzilaBhxSl+ibHg62wZDy5elZvnJrHv6WwG2zWW2iutnImSIZz5JyOCGYNfqMyp3jQH1/p2E21ClUvxuWC+Hd4XXLQ8vbaQo1BPoWBZSwJz0RQOjbAD1AOGzDlTwvy6T4aeBiTNP6KqPS4s+ZY0Ivlmd2+AJak4XhvilIFRLLkvzoFC9IQZZFVCBbfcwliuoJsqo8miOCcfw+T892gcmLIlWXx81XjTtFtUOraP+mMWIFd3JNfxeAxxH4UMS/b0nBZ33OI7Lm5SqjVkySTKiCSg2XHC+x3I++ddpSMfz/PysyM5kz7MoXgeyQbSlR1ETrMJmZmfEBdvd9SM9qnir0DQ/4qhYZG02hxgRQxYiMG2Jovq6JIbvmXek3h2MaQ5uAaJpJ2MTxhFKBbmrKiSq0z2jm+IIX+Ir2T+z4X6tKT+hDKVC/rUWUSy6nK0xakWzVwiGxOr91Pv5ceBjJ4NqbTwJe9RnejeiZjaLjAomM5TlUnbPqlQrIkECdMmbGZ4i7IqlirTJBP7xKm1Sms7fJEmvTMmohaIG5BsY8x00
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1378d4c0-2fc6-42a6-1a6a-08db0a0c134e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2023 19:38:38.2515 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UP8U85pRGd6FsMOdJt4gcUWskkIcOv6QdnrMjALa8thHDxlsUz5q60LHWAxz8vql+DRI5p6CkC6tgH8x1YWsMQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB7141
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.232, xfe-rtp-002.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Resent-From: alias-bounces@ietf.org
Resent-To: bevolz@gmail.com, aland@freeradius.org, rwilton@cisco.com, kondtir@gmail.com, dhcwg@ietf.org, zhoutianran@huawei.com, henk.birkholz@sit.fraunhofer.de, mohamed.boucadair@orange.com, jclarke@cisco.com, warren@kumari.net
Resent-Message-Id: <20230208193851.E42C6C151535@ietfa.amsl.com>
Resent-Date: Wed, 08 Feb 2023 11:38:51 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/Cq-foZdCmA1XKtTCFZJKupTtpts>
Subject: Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 19:38:52 -0000

Hi Alan,

Sorry for the delay.  Please see inline ...

> -----Original Message-----
> From: Alan DeKok <aland@deployingradius.com>
> Sent: 19 December 2022 17:13
> To: Rob Wilton (rwilton) <rwilton@cisco.com>
> Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org; opsawg@ietf.org
> Subject: Re: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
> 
> On Dec 19, 2022, at 11:53 AM, Rob Wilton (rwilton)
> <rwilton=40cisco.com@dmarc.ietf.org> wrote:
> > It isn't really clear to me why some of the registries are needed, specifically
> the ones in 8.4.1 and 8.4.2.  Why not allow any v4 or v6 DHCP attribute to be
> carried within the DHCPv6-Options or DHCPv4-Options field?
> 
>   The original intent of the document was to define a limited set of DHCP
> options which could be carried in RADIUS.  i.e. option X would map to RADIUS
> attribute Y.  After some discussion, this was deemed to be unworkable, and
> changed to the current method.
> 
>   The previous limitations were still kept, however.
> 
>   While it is useful, I could see issues with allowing any DHCP option to be
> transported in RADIUS.  I'll have to dig deeper to get into details.
[Rob Wilton (rwilton)] 

Okay.

> 
> >
> > (2) p 4, sec 3.  DHCP Options RADIUS Attributes
> >
> >   Absent any explicit configuration on the DHCP server, RADIUS supplied
> >   data by means of DHCP*-Options Attributes take precedence over any
> >   local configuration.
> >
> > This point may be worth discussing.  Naturally, I would explicit configuration
> to a network device to generally take precedent over implicitly learned
> configuration from the network.
> 
>  I'm not sure which options are "implicitly learned" from the network.  One set
> is configured in the device, and another is configured on a per-user / per-
> session basis.  This allows for sane defaults, with specific over-rides where
> those are needed.
> 
>   If the options configured on the device always take precedence over the per-
> session options (via RADIUS), then there isn't much point in sending per-session
> options.
[Rob Wilton (rwilton)] 
To give a regular configuration example, if you were to enable the Ethernet auto-negotiation protocol but also explicitly configure an 10/100/1000 Ethernet interface to run at 100 Mb/s then I would expect the explicit client provided configuration to take precedence over negotiating the speed value.

It sounds like, in what you describe, the configuration is effectively hierarchical.  I.e., it is really because the RADIUS supplied configuration is more-specific that it takes precedence over the local configuration.  If so, that is expected, but I think that it would be helpful to clarify the description to make that clear.


> 
> > (3) p 6, sec 3.2.  DHCPv4-Options Attribute
> >
> >      Permitted DHCPv4 options in the DHCPv4-Options Attribute are
> >      maintained by IANA in the registry created in Section 8.4.2.
> >
> > Comparing this text to the description for v6, this description is silent on
> whether multiple instances of the same DHCPv4 option MAY be included.
> Should that be specified here?
> 
>   Likely, yes.  The RADIUS attributes are simply carrying DHCP options, as if they
> were in a DHCP packet.  So all of the DHCP rules about option handling should
> apply here.
[Rob Wilton (rwilton)] 
Okay.

> 
> >
> > (4) p 10, sec 7.  Table of Attributes
> >
> >   The following table provides a guide as what type of RADIUS packets
> >   that may contain these attributes, and in what quantity.
> >
> > Am I right that this is just a duplication of what is described in section 3?  If
> so, perhaps change "guide" to "informative guide" and include text to refer
> back to the  canonical definition in section 3.
> 
>   Sure.  This table is traditional in RADIUS RFCs, so the text here mirrors
> previous RADIUS RFCs.
[Rob Wilton (rwilton)] 
Okay.


> 
> > (8) p 3, sec 3.  DHCP Options RADIUS Attributes
> >
> >   These attributes use the "Long Extended Type" format in order to
> >   permit the transport of attributes encapsulating more than 253 octets
> >   of data.  DHCP options that can be included in the DHCP*-Options
> >   RADIUS attributes are limited by the maximum packet size of 4096
> >   bytes.  In order to accommodate deployments with large options,
> >   implementations are RECOMMENDED to support a packet size up to 65535
> >   bytes.
> >
> > I didn't find this text clear.  E.g., limit is 4k but should support up to 64K.
> Which implementations should support larger packet sizes?  Is this RADIUS
> implementations?
> 
>   It's a limitation of RADIUS.  Everything RADIUS has to support 4K packets.
> Later RFCs allow for 64K packets.
[Rob Wilton (rwilton)] 

Okay.  If this will be obvious to everyone implementing/deploying RADIUS then fine, otherwise it might be worth including an informative reference to the RFC that increases the limit to 64K.



> 
> >
> > (9) p 5, sec 3.1.  DHCPv6-Options Attribute
> >
> >      This field contains a list of DHCPv6 options.  Multiple instances
> >      of the same DHCPv6 option MAY be included.  Consistent with
> >      Section 17 of [RFC7227], this document does not impose any option
> >      order when multiple options are present.
> >
> > Is there any requirement to merge multiple instances of options together,
> presumably they are logically just concatenated today.
> 
>   The rules for DHCP options processing should apply.
[Rob Wilton (rwilton)] 

Okay.  Should that be stated here, or at least made consistent with the v4 description that has been updated to:

|      This field contains a list of DHCPv4 options.  Multiple instances
|      of the same DHCPv4 option MAY be included, especially for
|      concatenation-requiring options that exceed the maximum DHCPv4
|      option size of 255 octets.  The mechanism specified in [RFC3396]
|      MUST be used for splitting and concatenating the instances of a
|      concatenation-requiring option.


> 
> > (12) p 8, sec 5.  Applicability to Encrypted DNS Provisioning
> >
> >         Figure 1: An Example of RADIUS IPv6 Encrypted DNS Exchange
> >
> > As a minor comment, I wonder whether it would be helpful to also include
> RADIUS client in the NAS box description?
> 
>   Yes.
> 
> >
> > (13) p 12, sec 8.4.1.  DHCPv6
> >
> >   IANA is requested to create a new sub-registry entitled "DHCPv6
> >   Options Permitted in the RADIUS DHCPv6-Options Attribute" in the
> >   "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry
> >   [DHCP-RADIUS].
> >
> > Do we need to define the definition of columns for this (and the v4
> equivalent) registries.  E.g., do the values need to match another registry?
> 
>   Perhaps just names?  It would be good to avoid duplicating multiple columns,
> as they could get out of sync.

The changes that you have made for -08 for this seem fine.

Thanks,
Rob

> 
>   Alan DeKok.

v2.23.0 | Report a Bug | By Email