Re: [dns-privacy] [Last-Call] last call review of draft-ietf-dprive-rfc7626-bis-03
Rob Sayre <sayrer@gmail.com> Tue, 07 January 2020 22:08 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D5DA1200A3; Tue, 7 Jan 2020 14:08:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjSne8tg4ERe; Tue, 7 Jan 2020 14:08:47 -0800 (PST)
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA138120025; Tue, 7 Jan 2020 14:08:47 -0800 (PST)
Received: by mail-io1-xd44.google.com with SMTP id b10so980235iof.11; Tue, 07 Jan 2020 14:08:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MoXKa8rACbgTaT53WcH+a+K5kE1byvzxGl4armPK1tU=; b=ZOSiDKJa5ZqE+qRrEBSXUoHHn4PqpXyYFVIYi7040iZrm4AGFCD6R+y/MSkQV+22X2 E7oAJEPUJWLl7N5J8paro9MVng0VWQsKYl7s8GqLVQip/QNAh0etIVoz+BhRAzp1sAoL dH4X/PDDoDPhgktYkMfjnbEOobSWATS5QhAim4/21a4CACdVQeVt9d0i+88rHK1DH+ag IjD7twM5FpnxUjRz+Xg39KgfLXePVsvMAMTECPvDBvzjSUvOFAFrAc3RPYo7bDmd8Z5q 5AlVIHSVZmVfgm78l4Ia8NBHR1A8U/+7/FL7VGdMecuwJn1Vx4NpJKuy+Vgno2avqRct UkPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MoXKa8rACbgTaT53WcH+a+K5kE1byvzxGl4armPK1tU=; b=TGpGtLPA9hCy5++ZBizP3yph0fvYACC8W49eqs9Ek5gpm0UYr4z8YA1ztRu/hNqZ24 JlCCpwjhcRQznRg9jcZQjGSTat4Jc+QNgopMKlHrtUkgX01N+MiVzvaNSL5N6bdHR6qN x3iSODC9elv+UwpW07L+DPLAXD1tsOrJ+M56V3S1bGD5DdtbFOap+W0dKEjKgzFHFbez SuJjH86IoCGapiGxRV68NghtnOsKGFSQxD+3fVy0VDBJ7iRvQKs9hnSWyvuHADPCtDSj v5VmWuKgtUrvi9PcUGQbIIEO0U9nr79KYz0XjspBpYn4M035OzdU5XQpp9JJsN6dMyPH TLfw==
X-Gm-Message-State: APjAAAULoAzBL9ANYNeRmU6RWNBA0c2lpiFnrTI5TE+rbhyx0kMtOmhC riz4akjWDlIexGiKYtEa8hkzP55MNUFFF0Iyna0=
X-Google-Smtp-Source: APXvYqxszhNTmfuqhYl0Vt/rU3WusuRT+iHYSu3OA+25e7UUOhOG8mawhF4RvxUN6NRhtsUGVBexAgRLnYJRCFTP5Hk=
X-Received: by 2002:a6b:fc0c:: with SMTP id r12mr884110ioh.189.1578434926951; Tue, 07 Jan 2020 14:08:46 -0800 (PST)
MIME-Version: 1.0
References: <157504194893.4871.5551746255324168227@ietfa.amsl.com> <208AD30F-1213-4784-81FC-4AB76730CEC2@sinodun.com> <a02720cf-01b3-d61a-94d2-b3d0a399f107@cs.tcd.ie> <20191223220509.GK35479@kduck.mit.edu> <CAChr6SyAhA8V7AQHC67vTEmHWgd+gMzM-ZtFTkBDUhsvVQEC8A@mail.gmail.com> <614B534F-D62D-432C-A3E5-A01D9BF972AA@sinodun.com>
In-Reply-To: <614B534F-D62D-432C-A3E5-A01D9BF972AA@sinodun.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 07 Jan 2020 14:08:35 -0800
Message-ID: <CAChr6SzbtzYPa8D6yFv+f74==6JFQtM+BVyPKR8NAiBG0p-icQ@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: draft-ietf-dprive-rfc7626-bis.all@ietf.org, last-call@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001f425a059b9405b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/4VfOCsQiWgh13OyWyw9eMQ6UJE4>
Subject: Re: [dns-privacy] [Last-Call] last call review of draft-ietf-dprive-rfc7626-bis-03
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 22:08:50 -0000
On Tue, Jan 7, 2020 at 10:35 AM Sara Dickinson <sara@sinodun.com> wrote: > > > > > Secondly, I found the entire section "3.5.1.5.2. DoH Specific > Considerations" to be objectionable, and recommend removing it. It mentions > many concerns that are better covered in RFC 8484 and/or HTTP RFCs, and > contrasts DoH with DoT in ways that are specious. Both TLS and HTTP allow > extension fields and metadata, so there's nothing unique to DoH here > (source: I've implemented DoH and ESNI clients). The entire section amounts > to a description of fields that privacy conscious DoH clients /might/ send > if they were poorly implemented. But it seems strange to stop there. > Implementation quality ratholes can go on for a while: for example, the > document doesn't mention the numerous problems with today's TLS, PKI, and > BGP infrastructure that apply to both DoT and DoH. > > As mentioned since this document is an analysis of the privacy > considerations of actually _using_ DNS (not just the protocol definitions) > then privacy considerations raised by poor implementations seem entirely in > scope. The document does also discuss such issues with TLS, The document contains the text: "DoT, for example, would normally contain no client identifiers above the TLS layer and a resolver would see only a stream of DNS query payloads originating within one or more connections from a client IP address. Whereas if DoH clients commonly include several headers in a DNS message' Doesn't this just mean "if the DoT client is a good implementation, and the DoH client is not..." ? I think the Section 8.2 of RFC8484 states this problem better. Why do we need this section? https://tools.ietf.org/html/rfc8484#section-8.2 > ones with PKI and PGP are clearly out of scope for this document. > I didn't mention PGP--I was talking about misrouting (BGP). I disagree that they are out of scope. Most of the larger TLS use cases rely on PKI. thanks, Rob
- [dns-privacy] Secdir last call review of draft-ie… Stephen Farrell via Datatracker
- Re: [dns-privacy] Secdir last call review of draf… Sara Dickinson
- Re: [dns-privacy] Secdir last call review of draf… Eric Rescorla
- Re: [dns-privacy] Secdir last call review of draf… Stephen Farrell
- Re: [dns-privacy] [secdir] Secdir last call revie… Benjamin Kaduk
- Re: [dns-privacy] [Last-Call] [secdir] Secdir las… Rob Sayre
- Re: [dns-privacy] [secdir] Secdir last call revie… Sara Dickinson
- Re: [dns-privacy] [Last-Call] last call review of… Sara Dickinson
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Christian Huitema
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Vittorio Bertola
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Sara Dickinson
- Re: [dns-privacy] [Last-Call] last call review of… Eric Rescorla
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Stephane Bortzmeyer
- Re: [dns-privacy] [Last-Call] last call review of… Eric Rescorla
- Re: [dns-privacy] [secdir] Secdir last call revie… Benjamin Kaduk