IETF Logo Mail Archive

Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07

"Rob Wilton (rwilton)" <rwilton@cisco.com> Thu, 09 February 2023 11:37 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: expand-draft-ietf-opsawg-add-encrypted-dns.all@virtual.ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 465A5C1782D5; Thu, 9 Feb 2023 03:37:06 -0800 (PST)
X-Original-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-opsawg-add-encrypted-dns.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38017C17CE88; Thu, 9 Feb 2023 03:37:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.899
X-Spam-Level:
X-Spam-Status: No, score=-11.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="jEFRqXhJ"; dkim=pass (1024-bit key) header.d=cisco.com header.b="LYffRnhV"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r9Z_GaawgOWS; Thu, 9 Feb 2023 03:37:01 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 529A9C1782D5; Thu, 9 Feb 2023 03:37:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13632; q=dns/txt; s=iport; t=1675942621; x=1677152221; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=/Ew+UojP58japIPjwOI6WUSkJnpCxi4AoqsxtTrJNqo=; b=jEFRqXhJiP+CwY19iuFgQXsM4sGOo0UaM/NPGeewfg+hjARgWleNPHh7 rTnCitEpjMFgo/qWYLu22g1/LcMEDVyH6aINV40Q4K1rVhyrEaZSt/h+h p/vI8lt8+Kcq9DOsZQAeZnRrw1W5rHR/qtEq+RzBiSN5jVkX9SRT1V7oN I=;
X-IPAS-Result: A0ADAAC62eRjmIYNJK1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIE7BQEBAQELAYFaUoEHAlk6RogeA4RQX4ghA5ELiwqBLBSBCAMGA1YPAQEBDQEBMRMEAQGBWgGDMgKFJwIlNAkOAQIEAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBHhkFDhAnhTsBBScNhlUBAQEBAgESLgEBJRIBBAcEAgEIEQQBAQEuMh0IAgQBDQUIGoJcAYJ/IwMBoRkBgT8Cih94gTSBAYIIAQEGBASfHwmBQAGEO4gkhEcIHxyBSUSBFUOCZz6CYgICAYEoAQsBBgEJGoQPgi6LLooaCoE2doEkDoFEgQsCCQIRc4EZCGyBBDcDRB1AAws7Oj8UIQYFCyUFBD8BBQIPHzYGAwkDAiFKdyUkBQMLFSpHBAg2BQYcNBECCA8SDwYmQw5CNzQTBlwBKQsOEQNPgUkEL0SBHAIEASkmlxuCFQE9JgQUGxQQDRUrAQEkCAgNCD0WGw0gBwMLkkULU49YoDQKg3WLYJUuFoN5gVKLEJd2XpdSIKINSoR3AgQCBAUCDgEBBoFiOmtwcBU7gmcJSRkPgzyGHIRICRAJg1CFFI06dQI5AgcBCgEBAwmJUgEngjEBAQ
IronPort-PHdr: A9a23:/NE5JBwUzGkfz73XCzPZngc9DxPP8534PQ8Qv5wgjb8GMqGu5I/rM 0GX4/JxxETIUoPW57Mh6aLWvqnsVHZG7cOHt3YPI5BJXgUO3MMRmQFoCcWZCEr9efjtaSFyH MlLWFJ/uX+hNk0AE8flbFqUqXq3vlYv
IronPort-Data: A9a23:uhVYyqie53GUizMgRXdCJc1IX161jRAKZh0ujC45NGQN5FlHY01je htvWTuHPf/eNGf1et9wOt6wph4Du57WmN9jHgY+qSthE3xjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+lH1dOKJQUBUjclkfJKkYAL/En03FFAMpBsJ00o5wLZj2t8w2LBVPivU0 T/Mi5yHULOa82Yc3lI8s8pvfzs24ZweEBtB1rAPTagjUG32zhH5P7pDTU2FFEYUd6EPdgKMq 0kv+5nilo/R109F5tpICd8XeGVSKlLZFVDmZna7x8FOjzAazhHe3JrXO9IOZFYG2imrk+wri 41QvrPoThwiHZfDzbF1vxlwS0mSPIVP/LvBZHO4q8HWlheAeHr3yPIoB0YzVWEa0r8oWicVq 7pBc3ZUNUzra+GemNpXTsF2mcUnMM7tFIgeoXpnizreCJ7KRLieHP+avYIFgV/cgOh0Oq/QO ulJVwFCaTSDPTZsPXUtKasXybLAan7XKm0E9w39SbAMy2/L1wVu35DsPcbbPNuQSq19klyRq H6D/mnlDFQdLMeW1jXA+36gw+LJljnqQJ4fGPi08OUsiVmX7m0eFBNQUkG0ydGwjke4V/pTJ lQQ/Tsvq6co/UCqU8K7VBq9yFaBuR4VXtdcVec99QqExqPV+S6eHGECQTMHY9sj3PLaXhQj0 luP2tjuHzEq6efTQnOG/bDSpjS3UcQIEYMcTT0JXFpU//vvnNtw1g/EYY5kC6WWtNKgTFkc3 Au2hCQ5grwSi+sC2KO64U3LjlqQSn7hE1JdCuL/Az7N0+9pWGK2T9fytwaDvJ6sOK7cHwbZ5 yRe8ySLxL1WVfmweDqxrPLh9V1Dz9mfOTvQyWZ1Fpg79jnFF5WLIt0IvWsWyKuEzq85ldLBa UvXv0Za44VeeSLwK6R2eIm2Tc8tyMAM9OgJtNiJP7KigbAoK2drGR2Cg2bLhAgBd2B3zckC1 W+zK5rEMJrjIf0PIMCKb+kcy6Q34Ss12HneQ5v2pzz+j+XDNC7MEetcbQTeBgzc0E9iiFiLm zq4H5bUoyizrMWlCsUq2ddJdAtTfSRT6W7e+pcOHgJ8HuaWMDhxV6COqV/QU4dkhK9S3vzZ5 W2wX1Qw9bYMrSOvFOl+UVg6MOmHdc8m9RoTZHVwVX72gCJLSdj0s88im24fIONPGBpLl6AkF pHouqyoX5xyd9gw021NPMWs89w9KEjDaMDnF3PNXQXTtqVIH2ThkuIItCO2nMXSJkJbbfcDn oA=
IronPort-HdrOrdr: A9a23:LzVJl6i9sz4KnroHHquCuq1wKHBQX3F13DAbv31ZSRFFG/FwyP rBoB1L73DJYWgqNE3IwerwRJVpQRvnhPpICPoqTMiftW7dySSVxeBZnMffKljbehEWmdQtrZ uIH5IOauEYSGIK8PoSgzPIXerIouP3i5xA7N22pxwGIGEaCJ2IrT0JcDpzeXcGIzWucKBJba Z0kfA3wQZIF05nC/iTNz0gZazuttfLnJXpbVotHBg88jSDijuu9frTDwWY9g12aUIP/Z4StU z+1yDp7KSqtP+2jjXG0XXI0phQkNz9jvNeGc23jNQPIDmEsHfpWG0hYczAgNkGmpDr1L8Yqq iJn/7mBbU115rlRBD2nfIq4Xin7N9h0Q669bbSuwqcnSWwfkNKNyMGv/MATvMcgHBQ5u2VF8 lwrjmkXtNsfGD9dCiR3am5azh60kWzunYsiugVkjhWVpYfcqZYqcgF8FpSC4poJlOw1GkLKp gmMCjn3ocfTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2i5ozuNxd7BUo+ Dfdqh4nrBHScEbKap7GecaWMOyTmjAWwjFPm6eKUnuUKsHJ3XOoZjq56hd3pDhRLUYiJ8p3J jRWlJRsmA/P0roFM2VxZVOtgvARW2sNA6dvP22J6IJzYEUaICbRRFrEmpe4fdIi89vd/HmZw ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.97,283,1669075200"; d="scan'208";a="57280555"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Feb 2023 11:36:59 +0000
Received: from mail.cisco.com (xfe-rtp-004.cisco.com [64.101.210.234]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 319BaxUx023393 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 9 Feb 2023 11:36:59 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xfe-rtp-004.cisco.com (64.101.210.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Thu, 9 Feb 2023 06:36:59 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.15 via Frontend Transport; Thu, 9 Feb 2023 05:36:58 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h7OxBsAx9dqS462DTpH5N+9L4+Rrz8Bom+YdzE54ZBMarw4t1vp/nQcQNNnaJV7pVPEGwEGOnjqPABIhHrmSvctP3LXyvIv+G3HtdcB7bDZVkgzIXnnfyxZCbYjk3+3L5dBCCHdP7AEsis4Rea+WbHFeKXG68OaZozJgWlVR/AIJeQpJFEMf8QafOPDC91k+8K4fM6RFn+end6E7jtrb/b4+tm7GVdt21y5orwn/dX9AuRI12jKeWmfG7BF/3FfPkHCES//xqd7XkonfgHIIHkzdozJTHF9X6EC7VosLXhv/MoZViVsgukMczolfdBy3QyQ2f9Boo6jSTzScVFV7JA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5Bxf7M5DR15WvMWxvE0aWE0/xMyUfrkvV2t22lafyeg=; b=lF+ZPpOKz7cH62XP8duItFLiEls0ma/KwFOl1yHIysNDLPWuoE5J4c8k8gsBnxbBvBQJ7b4b5639Q2ERNR+9HiaT641EMbeaIhhsukLB2gBy7XIldllY2bKGEHsB/MnstnvlykeSVKucG9LxdhJYcfbpV6//rNowl3AcRd19UIDIP6iKFas/Np34BflD7+x2CyMw36EMqCAGE7Us4HUNIsMwXMI5o5+ZJ4ppKtXsH9fW+x44tuzb4mhgWG3W86TG3simg2AHT0K2joHkgzkmHKSNbqx1nZ6tS4DaNsVH9pw8EwyfF4mct4JZxXAcDt87GF1DXzTKeXQOWmI8kbhlFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Bxf7M5DR15WvMWxvE0aWE0/xMyUfrkvV2t22lafyeg=; b=LYffRnhV3PwsuKq9NZpCvd2oBdYLpHgOOb58q8coFXZFsXX2p4/QAfJXGEiQo0be/t+kJ3XMbJscGptFLykxDpyJjWH6kE2Ssnowxy815MpdHbxUe4MgZ1SlkPGeEnO/vyFIi5HYQRZf6NQFpIECKjdS1yatxE5KA28WR9gAR78=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by DS0PR11MB7357.namprd11.prod.outlook.com (2603:10b6:8:136::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.34; Thu, 9 Feb 2023 11:36:56 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::d500:e34:daa8:6946%7]) with mapi id 15.20.6086.017; Thu, 9 Feb 2023 11:36:56 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Alan DeKok <aland@deployingradius.com>
CC: "draft-ietf-opsawg-add-encrypted-dns.all@ietf.org" <draft-ietf-opsawg-add-encrypted-dns.all@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
Thread-Index: AdkTyYf4WW79bmtwQoGOi227i49tLgAA5RyACgBS4TAAJNutAAABISNgAALZcIAAAjw7kA==
Date: Thu, 09 Feb 2023 11:36:56 +0000
Message-ID: <BY5PR11MB4196C33F3EB7344EE7FBEA6FB5D99@BY5PR11MB4196.namprd11.prod.outlook.com>
References: <BY5PR11MB4196E89DEC6393A84923CC17B5E59@BY5PR11MB4196.namprd11.prod.outlook.com> <EDA5C486-7261-4668-ABF0-83871D9E1E2B@deployingradius.com> <BY5PR11MB4196BB5D2805639398D344B5B5D89@BY5PR11MB4196.namprd11.prod.outlook.com> <9291_1675933339_63E4B69B_9291_403_1_66463ab113c04cc88d3446194c92971c@orange.com> <BY5PR11MB4196E25F3A53AC4B4BE7E3E2B5D99@BY5PR11MB4196.namprd11.prod.outlook.com> <20586_1675938725_63E4CBA5_20586_113_1_6e28bfcfa63b48ee992d2547d18efeea@orange.com>
In-Reply-To: <20586_1675938725_63E4CBA5_20586_113_1_6e28bfcfa63b48ee992d2547d18efeea@orange.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-02-09T10:27:48Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=c9639410-6e70-4e60-8cbe-f23ee9529d03; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|DS0PR11MB7357:EE_
x-ms-office365-filtering-correlation-id: 67126131-c697-4f49-5b9d-08db0a91f2eb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: K1lzGxogJWoVhb0pPXgBARVgoK23YcgmiuzTt2pg5BuTaOWtEgKaMdVZT5SpGXDYGV6muHKzVebGaKteY33QeS3xNhaoAf+CosUfY++tap9JD2nvFs8Is+ue3L0oBsw/Bu9+8NuzFKOQKniK8OsJGiPn1ig2EcljAdqEfJVNpiFuRRLEQfNpOwLvD8ZieD1+1c3kpG/Yn5vea6jzVgYX38J+/tYbbV1v/ZyWerJlfujr5z+fGhlSEJ5D5ECVrJitUVdltVcffvT3on+LwQmhUhDu6aLw0Ye9HCof7DpVYVB+xqeM0DbdyMddlVBMZqCQpfhotxfUX2hB5fPp+t7pxelGMsOmyRIvV/6U3+yxv47ubdpliCYZOVvq8fwC5wMpU8qXQ2C3o6NUBPMo5bgUqnIDRlq+coDRc29R1i6kzor9U43LsxULjhYyQ5r1JclXcUZ30tCQTY4NCC+7KYoPhuJhTsVfVRpruA3WvSRC3gwB1dpxM5c9WKQ03n2ZD/pfjOwLPQqQ5tVCVVQpUj7Egb4dK344CaoE7jvmqKYQ37+srNkKDOCxwpZlyKiVJJdKB5pR/9h9Kth4NyZ1F8vmJLNL9DzomGLhsnp+qefUdEOy5PhK6kUe1KfUYsh9N6CKLSzvB3UMss3NXL9FQhsF+8eR83U8OVt0IXvFvoUiIswWiv52nCj2ovdWqOft6flymAj7G//+fzgpaEJH5W+f3i6noRYDDde95bTaMrWLDik=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(366004)(376002)(136003)(346002)(39860400002)(396003)(451199018)(55016003)(316002)(966005)(7696005)(33656002)(478600001)(71200400001)(83380400001)(110136005)(54906003)(66574015)(52536014)(26005)(186003)(30864003)(9686003)(66556008)(6506007)(5660300002)(86362001)(53546011)(76116006)(38070700005)(66476007)(4326008)(66446008)(64756008)(84970400001)(66946007)(41300700001)(8676002)(122000001)(38100700002)(8936002)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: G7cILmJZ9H6Rjito1818sXrkOk8vdqBDitRLex3qSK0JEDLOabHzUMk0vDzCUNbj+dRmBUUKvoJTee/Ihl6zSXT2vdOSphH9Ms6vuOGyYDuqvWlETOfV7fOl2fTnHFsQaepyiJX+5KusUrPOapRosIjTgJjAq6A9m4EMo05f/j/T0xtKrqiYuKsHS710E9X/9PpfJHDnNmfSqh4ntygqPHdI5eujyJHBmDPeOsr88Z71k0pNus8B2nGL3qsgFZdDYPE2wa+bSatNMzsEmDvCV7QOznYvsTzq7WNPKX23Y5wzFTrdS2OWStocOalA2elLRqBijvZi3LmHpFW4YOhVA1dsPJ1sWQrG+TPqc0xKVXtpdBueHC6k6BLscpa88Ge1c9aKae6ArucuLJdq18ZR/OIzPTbhGqo+1h8wZe59UBaWAL2XnEsQSNXJ8vHJqz1QscylLVOOxiWtYDUVMVqTfyW3vtTX+PAXk/0Q0cMHk0N0upMAUqqlEfOLcKxSgDg5U2U/Pnztq//5twANp3H+kKiRjX/8RCDl87b29sz+VmrevLi2jNmsAhqw4PlAuR4hISWMx5thG21EPKuZsziR8eNT1eOkfs8n0sFtz5NQvyyRL/jyTxrbihNiSi3opy9HAmjNRZhn1vDG3PdTS+gLLuFznFehPumGXHJnjgf+PP9Gl3ZpuVyDyQnvRIBGjAhf4n/f79tQiAmjb/Ui2q2svcUR3N22ImjFkEjmCDTr7/2Qz69a9YG/lZ8l8dl/wIxu7+kjoBXxbG1WsFm0qN8t38qrrkCfZGFc1wNYyqFezHXhnCIaVig420U/sXIkrQIHTLXb6rbf7Ilok28TCOBa8CwW+n5q5ufe6t2fIzbhbinq75bD1hoPYp+877WobHBtBIchmV+IubqNWC1Z/LR1r9sO/SDd7JrSUvOc0ikTQe/g/8pZu/FTgP2FxTJ+q5uLamTBQSJGDZO+QfTVKSWjckNZq516Q5xc/cNe63F1mmvoHo+vzIp3llX+XIvMrx80hBjGQZ68ATnQp29NLGNtAxxJ7Z36gvzX9+a9pFEmm2aRbXRczHKA4acNiQ3cnlwdklVdnB7qJSmY35cBFQxoyqP718AwCHPKvrs5BA6VmALXD62n9y3DSklUbkOsFLTzE65cSDBwzgjuxDgFLlaWv3RT/imJfQX8/4WEaAkd2CJmxPtELJWeE3IpFv53rIfZ7TUHmP2Rols9p8XfZtH8O3nXkBicw287z96H+m6+yyYb1iEzSpsP0Y39BjYDabDpAMEma4k2mUK6hC2TBBToMEs93BMqSzjNNKysdiarua93QJtdnpr9TgOvO9IIt73PXkaKF1d90tX74VqGSQSMaPjla2guJGREwJbVk8qOBeDJpI2QkmuNpy6kFC0xUhmjXSDFtsvfVWu3e81p6gBw5S5IP/Q1N6UT6HutHKyTJADXP2JdnWIwEihaFoS4WBbCyNF3DLj54mMX3PDPF7ffcuuyITgOknhNIB48ARHn6HugJ6qhAzGSTxZFy0R2bSewqcMUsQpRctAb1zBEu0nd9opW73vzaIVe6F7JKt95QWMSbFLxqva3DoQpengOCu8L
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 67126131-c697-4f49-5b9d-08db0a91f2eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2023 11:36:56.4478 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Vgbzmtk8lrXl+vjvBlKnaOtQhPF0gpwwRyDC/ynZQ/gb/FgkGKLEXjzdL3jBOqYvuI0ASKR/xKgPf8krDm2QdQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB7357
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.234, xfe-rtp-004.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Resent-From: alias-bounces@ietf.org
Resent-To: dhcwg@ietf.org, warren@kumari.net, bevolz@gmail.com, jclarke@cisco.com, aland@freeradius.org, henk.birkholz@sit.fraunhofer.de, zhoutianran@huawei.com, mohamed.boucadair@orange.com, rwilton@cisco.com, kondtir@gmail.com
Resent-Message-Id: <20230209113706.465A5C1782D5@ietfa.amsl.com>
Resent-Date: Thu, 09 Feb 2023 03:37:06 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/IufikNiOpPOH2qXg3-H7b-ZmODw>
Subject: Re: [dhcwg] [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 11:37:06 -0000

Hi Med, Alan,

Thanks.  I've requested LC on -09.

Regards,
Rob


> -----Original Message-----
> From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>
> Sent: 09 February 2023 10:32
> To: Rob Wilton (rwilton) <rwilton@cisco.com>; Alan DeKok
> <aland@deployingradius.com>
> Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org; opsawg@ietf.org
> Subject: RE: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-dns-07
> 
> Re-,
> 
> Thanks Rob for the follow-up.
> 
> A new version with the proposed changes is now online: https://author-
> tools.ietf.org/iddiff?url2=draft-ietf-opsawg-add-encrypted-dns-09.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Rob Wilton (rwilton) <rwilton@cisco.com>
> > Envoyé : jeudi 9 février 2023 11:04
> > À : BOUCADAIR Mohamed INNOV/NET
> <mohamed.boucadair@orange.com>;
> > Alan DeKok <aland@deployingradius.com>
> > Cc : draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > opsawg@ietf.org
> > Objet : RE: [OPSAWG] AD review of draft-ietf-opsawg-add-encrypted-
> > dns-07
> >
> > Hi Med, Alan,
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com
> > > <mohamed.boucadair@orange.com>
> > > Sent: 09 February 2023 09:02
> > > To: Rob Wilton (rwilton) <rwilton@cisco.com>; Alan DeKok
> > > <aland@deployingradius.com>
> > > Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > opsawg@ietf.org
> > > Subject: RE: [OPSAWG] AD review of
> > > draft-ietf-opsawg-add-encrypted-dns-07
> > >
> > > Hi Rob, all,
> > >
> > > Please see inline.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Rob Wilton (rwilton) <rwilton@cisco.com> Envoyé :
> > mercredi 8
> > > > février 2023 20:39 À : Alan DeKok <aland@deployingradius.com>
> > Cc :
> > > > draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > > > opsawg@ietf.org
> > > > Objet : RE: [OPSAWG] AD review of draft-ietf-opsawg-add-
> > encrypted-
> > > > dns-07
> > > >
> > > > Hi Alan,
> > > >
> > > > Sorry for the delay.  Please see inline ...
> > > >
> > > > > -----Original Message-----
> > > > > From: Alan DeKok <aland@deployingradius.com>
> > > > > Sent: 19 December 2022 17:13
> > > > > To: Rob Wilton (rwilton) <rwilton@cisco.com>
> > > > > Cc: draft-ietf-opsawg-add-encrypted-dns.all@ietf.org;
> > > > opsawg@ietf.org
> > > > > Subject: Re: [OPSAWG] AD review of
> > > > > draft-ietf-opsawg-add-encrypted-dns-07
> > > > >
> > > > > On Dec 19, 2022, at 11:53 AM, Rob Wilton (rwilton)
> > > > > <rwilton=40cisco.com@dmarc.ietf.org> wrote:
> > > > > > It isn't really clear to me why some of the registries are
> > > > needed,
> > > > > > specifically
> > > > > the ones in 8.4.1 and 8.4.2.  Why not allow any v4 or v6
> > DHCP
> > > > > attribute to be carried within the DHCPv6-Options or DHCPv4-
> > > > Options field?
> > > > >
> > > > >   The original intent of the document was to define a
> > limited
> > > > set of
> > > > > DHCP options which could be carried in RADIUS.  i.e. option
> > X
> > > > would
> > > > > map to RADIUS attribute Y.  After some discussion, this was
> > > > deemed to
> > > > > be unworkable, and changed to the current method.
> > > > >
> > > > >   The previous limitations were still kept, however.
> > > > >
> > > > >   While it is useful, I could see issues with allowing any
> > DHCP
> > > > option
> > > > > to be transported in RADIUS.  I'll have to dig deeper to get
> > > > into details.
> > > > [Rob Wilton (rwilton)]
> > > >
> > > > Okay.
> > > >
> > > > >
> > > > > >
> > > > > > (2) p 4, sec 3.  DHCP Options RADIUS Attributes
> > > > > >
> > > > > >   Absent any explicit configuration on the DHCP server,
> > RADIUS
> > > > supplied
> > > > > >   data by means of DHCP*-Options Attributes take
> > precedence
> > > > over any
> > > > > >   local configuration.
> > > > > >
> > > > > > This point may be worth discussing.  Naturally, I would
> > > > explicit
> > > > > > configuration
> > > > > to a network device to generally take precedent over
> > implicitly
> > > > > learned configuration from the network.
> > > > >
> > > > >  I'm not sure which options are "implicitly learned" from
> > the
> > > > network.
> > > > > One set is configured in the device, and another is
> > configured
> > > > on a
> > > > > per-user / per- session basis.  This allows for sane
> > defaults,
> > > > with
> > > > > specific over-rides where those are needed.
> > > > >
> > > > >   If the options configured on the device always take
> > precedence
> > > > over
> > > > > the per- session options (via RADIUS), then there isn't much
> > > > point in
> > > > > sending per-session options.
> > > > [Rob Wilton (rwilton)]
> > > > To give a regular configuration example, if you were to enable
> > the
> > > > Ethernet auto-negotiation protocol but also explicitly
> > configure an
> > > > 10/100/1000 Ethernet interface to run at 100 Mb/s then I would
> > > > expect the explicit client provided configuration to take
> > precedence
> > > > over negotiating the speed value.
> > > >
> > > > It sounds like, in what you describe, the configuration is
> > > > effectively hierarchical.  I.e., it is really because the
> > RADIUS
> > > > supplied configuration is more-specific that it takes
> > precedence
> > > > over the local configuration.  If so, that is expected, but I
> > think
> > > > that it would be helpful to clarify the description to make
> > that
> > > > clear.
> > > >
> > >
> > > [Med] OK. We can make this change:
> > >
> > > OLD:
> > >    Absent any explicit configuration on the DHCP server, RADIUS
> > >    supplied data by means of DHCP*-Options Attributes take
> > precedence
> > >    over any local configuration.
> > >
> > > NEW:
> > >    RADIUS supplied data is specific configuration data that is
> > >    returned as a function of authentication and authorization
> > checks.
> > >    As such, absent any explicit configuration on the DHCP
> > server, RADIUS
> > >    supplied data by means of DHCP*-Options Attributes take
> > precedence
> > >    over any local configuration.
> > [Rob Wilton (rwilton)]
> >
> > This is okay, but would probably prefer a slight tweak to the last
> > sentence to:
> >
> >    RADIUS supplied data is specific configuration data that is
> >    returned as a function of authentication and authorization
> > checks.
> >    As such, absent any explicit configuration on the DHCP server,
> > RADIUS
> >    supplied data by means of DHCP*-Options Attributes take
> > precedence
> >    over any less specific or default local configuration.
> >
> > But I'll leave this to the authors to decide.
> >
> >
> > >
> > > >
> > > > >
> > > > > > (3) p 6, sec 3.2.  DHCPv4-Options Attribute
> > > > > >
> > > > > >      Permitted DHCPv4 options in the DHCPv4-Options
> > Attribute
> > > > are
> > > > > >      maintained by IANA in the registry created in Section
> > > > 8.4.2.
> > > > > >
> > > > > > Comparing this text to the description for v6, this
> > > > description is
> > > > > > silent on
> > > > > whether multiple instances of the same DHCPv4 option MAY be
> > > > included.
> > > > > Should that be specified here?
> > > > >
> > > > >   Likely, yes.  The RADIUS attributes are simply carrying
> > DHCP
> > > > > options, as if they were in a DHCP packet.  So all of the
> > DHCP
> > > > rules
> > > > > about option handling should apply here.
> > > > [Rob Wilton (rwilton)]
> > > > Okay.
> > > >
> > > > >
> > > > > >
> > > > > > (4) p 10, sec 7.  Table of Attributes
> > > > > >
> > > > > >   The following table provides a guide as what type of
> > RADIUS
> > > > packets
> > > > > >   that may contain these attributes, and in what quantity.
> > > > > >
> > > > > > Am I right that this is just a duplication of what is
> > > > described in
> > > > > > section 3?  If
> > > > > so, perhaps change "guide" to "informative guide" and
> > include
> > > > text to
> > > > > refer back to the  canonical definition in section 3.
> > > > >
> > > > >   Sure.  This table is traditional in RADIUS RFCs, so the
> > text
> > > > here
> > > > > mirrors previous RADIUS RFCs.
> > > > [Rob Wilton (rwilton)]
> > > > Okay.
> > > >
> > > >
> > > > >
> > > > > > (8) p 3, sec 3.  DHCP Options RADIUS Attributes
> > > > > >
> > > > > >   These attributes use the "Long Extended Type" format in
> > > > order to
> > > > > >   permit the transport of attributes encapsulating more
> > than
> > > > 253 octets
> > > > > >   of data.  DHCP options that can be included in the
> > DHCP*-
> > > > Options
> > > > > >   RADIUS attributes are limited by the maximum packet size
> > of
> > > > 4096
> > > > > >   bytes.  In order to accommodate deployments with large
> > > > options,
> > > > > >   implementations are RECOMMENDED to support a packet size
> > up
> > > > to 65535
> > > > > >   bytes.
> > > > > >
> > > > > > I didn't find this text clear.  E.g., limit is 4k but
> > should
> > > > support up to 64K.
> > > > > Which implementations should support larger packet sizes?
> > Is
> > > > this RADIUS
> > > > > implementations?
> > > > >
> > > > >   It's a limitation of RADIUS.  Everything RADIUS has to
> > support
> > > > 4K packets.
> > > > > Later RFCs allow for 64K packets.
> > > > [Rob Wilton (rwilton)]
> > > >
> > > > Okay.  If this will be obvious to everyone
> > implementing/deploying
> > > > RADIUS then fine, otherwise it might be worth including an
> > > > informative reference to the RFC that increases the limit to
> > 64K.
> > > >
> > > >
> > >
> > > [Med] We do already have the following:
> > >
> > >    Note:  The 4096 bytes size limit was relaxed by other RFCs,
> > e.g.,
> > >       [RFC7499] and [RFC7930].
> > >
> > > Do we need to say more? Thanks.
> > [Rob Wilton (rwilton)]
> >
> > Nope.  I missed that you already state that.
> >
> > >
> > > >
> > > > >
> > > > > >
> > > > > > (9) p 5, sec 3.1.  DHCPv6-Options Attribute
> > > > > >
> > > > > >      This field contains a list of DHCPv6 options.
> > Multiple
> > > > instances
> > > > > >      of the same DHCPv6 option MAY be included.
> > Consistent
> > > > with
> > > > > >      Section 17 of [RFC7227], this document does not
> > impose
> > > > any option
> > > > > >      order when multiple options are present.
> > > > > >
> > > > > > Is there any requirement to merge multiple instances of
> > > > options together,
> > > > > presumably they are logically just concatenated today.
> > > > >
> > > > >   The rules for DHCP options processing should apply.
> > > > [Rob Wilton (rwilton)]
> > > >
> > > > Okay.  Should that be stated here, or at least made consistent
> > with
> > > > the v4 description that has been updated to:
> > > >
> > > > |      This field contains a list of DHCPv4 options.  Multiple
> > > > instances
> > > > |      of the same DHCPv4 option MAY be included, especially
> > for
> > > > |      concatenation-requiring options that exceed the maximum
> > > > DHCPv4
> > > > |      option size of 255 octets.  The mechanism specified in
> > > > [RFC3396]
> > > > |      MUST be used for splitting and concatenating the
> > instances
> > > > of a
> > > > |      concatenation-requiring option.
> > > >
> > >
> > > [Med] We can echo the relevant part from 8415 here:
> > >
> > > OLD:
> > >       This field contains a list of DHCPv6 options.  Multiple
> > instances
> > >       of the same DHCPv6 option MAY be included.  Consistent
> > with
> > >       Section 17 of [RFC7227], this document does not impose any
> > option
> > >       order when multiple options are present.
> > >
> > > NEW:
> > >       This field contains a list of DHCPv6 options (Section 21
> > of
> > >       [RFC8415]).  Multiple instances of the same DHCPv6 option
> > MAY be
> > >       included.  If an option appears multiple times, each
> > instance is
> > >       considered separate and the data areas of the options MUST
> > NOT be
> > >       concatenated or otherwise combined.  Consistent with
> > Section 17 of
> > >       [RFC7227], this document does not impose any option order
> > when
> > >       multiple options are present.
> > [Rob Wilton (rwilton)]
> >
> > Looks good.
> >
> > Let me know when you have posted an updated draft.
> >
> > Thanks,
> > Rob
> 
> 
> ________________________________________________________________
> _________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
> message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete
> this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been
> modified, changed or falsified.
> Thank you.

v2.23.0 | Report a Bug | By Email