Re: [dns-privacy] AD review of draft-ietf-dprive-xfr-over-tls-08
Sara Dickinson <sara@sinodun.com> Mon, 29 March 2021 13:08 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 750E13A1182; Mon, 29 Mar 2021 06:08:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_SHORTFWD_URISHRT_QP=1.499, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Et4oTUSQeTS; Mon, 29 Mar 2021 06:08:17 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6C613A1186; Mon, 29 Mar 2021 06:08:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=VIbGeQ8B/SpHBnUhCqjpdLV5mwVfecWCiMBiN95FqB4=; b=LWU2YQDOcwoTvuj1bPFduIn8Yl zOnvhW96FFR6cMk1vGhXpPhZv16obCln5YRRIL8BEFY2fsTX/rw8zLtFuZGUU4lWk7zA30RRUJwsE EKnNJHUS9j5dZS5EdkJS2RZoehNyonUXNah5NC/AReMP3FiLtCZ4eoIy7CErzyTys9ya6sN9WbfWJ yCqukDypkCFQuKsd0ks9ajBH65eGkBBkT0MRKXxdMoTMl+7ISvbE7TmdDSoPtpRSGouSIAJbdoeVl 793ntSyBI6YvvuVpsSNhZCU2oC9QkBjTq/Q449AckgmzWCbW5g8snQ/6JoPX11TKevR3G/lDkqU0z 9lpSjCNQ==;
Received: from [62.232.251.194] (port=9744 helo=[172.27.240.4]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1lQrcs-0000lK-HL; Mon, 29 Mar 2021 14:08:14 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <743E167C-3449-49A9-81F9-48CE5E98846C@cisco.com>
Date: Mon, 29 Mar 2021 14:07:54 +0100
Cc: draft-ietf-dprive-xfr-over-tls@ietf.org, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <29BBFB1A-E849-483D-83FB-0C4D5DC306BE@sinodun.com>
References: <743E167C-3449-49A9-81F9-48CE5E98846C@cisco.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6NqcAdHvjnk6g82f6iyRLXbP_mA>
Subject: Re: [dns-privacy] AD review of draft-ietf-dprive-xfr-over-tls-08
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2021 13:08:22 -0000
> On 18 Mar 2021, at 15:33, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: > > Dear authors, > > Thank you (and extended thanks to the WG) for this document. > > Please find below my AD review of -08 revision of the document. Before proceeding with the publication process, I will appreciate replies about the points below (and possibly a revised I-D). Many thanks for the review! > > - Section 1: please replace the reference to RFC7626 with the 7626bis document, which is already in the RFC editor queue Done. > - Section 1: does the use of legacy RFC 7626 rather than the bis impact the rest of the section ? Not in terms of XFR - the bis makes no updates to the discussion of XFR handling. But your comment on this paragraph prompted me to remove the reference to the draft-vandijk-dprive-ds-dot-signal-and-pin as the discussion in DPRIVE has moved on significantly from when that was first published. I suggest changing the text to: “and some suggestions for how signaling of DoT support by authoritatives might work." > - Section 1: “Some operators use SSH tunneling or IPSec to encrypt the transfer data” is this assertation backed by some public references ? I can’t find any good references for specific deployments even though it is a know technique, but the NIST guide referenced in the next paragraph does also mention it as an option. I propose to remove that specific sentence and update the following paragraph: “Section 8 of the NIST guide on 'Secure Domain Name System (DNS) Deployment' [@nist-guide] discusses restricting access for zone transfers using ACLs and TSIG in more detail. It also discusses the possibility that specific deployments might choose to use a lower level network layer to protect zone transfers, e.g., IPSec." > - Section 1: did you consider adding something about reconnaissance ? I.e., network scanning of an IPv6 prefix is basically impossible but having access to a DNS zone and its AAAA RR makes the reconnaissance trivial Not really, as I think the main concern with zone enumeration has largely been the exposure of the names rather than the IP addresses, but it is a good point. We could add the following text after the bullet points. “Additionally, the full zone contents expose all the IP addresses of endpoints held in the DNS records which can make reconnaissance trivial, particularly for IPv6 addresses." > - Section 4.1: from a logical flow perspective, I would have started with the threat model first, then the confidentiality/authentication/ parts Thanks - that makes more sense. I have changed section 4.1 into section 4 (threat model) and changed the use cases to be section 5 (but also see next answer). > - Section 4: I find the logic of the ‘performance’ point weird because it is not really generated by the document but rather by an upgrade. I suggest to rewrite this part. I think a better title for that section would be something like ‘Design considerations for XoT’ which might better describe what is being listed there? > - Some nits usually ‘e.g.’ is surrounded by commas Fixed > - BTW, while I appreciate the trend to replace master by primary, may I suggest to clarify in the terminology section that ‘primary’ means ‘master’ and ‘secondary’ means ‘slave’ ? Up to you as it is a touchy topic but making the linked with the legacy document seems important to me. Really up to the authors. Suggest moving the text on this to be a sub note to the RFC8499 reference which already deals with the legacy terms: “DNS terminology is as described in [@!RFC8499]. Note that as in [@!RFC8499], the terms 'primary' and 'secondary' are used for two servers engaged in zone transfers." > - Section 5.2 last § missing a closing ‘)’ > - Section 5.3.2 please qualify “lag” (I guess serial numbers) > - Section 6, unsure whether “(probably unintentional)" add any value, consider to remove ? All fixed. > - Section 6.4, "one DoH connection" even with the "could hypothetically include" appears a little weird to me The full list of multiple transports was added after a discussion in the WG to clarify the issue. We did think about using DNS-over-QUIC instead, but using a standardised protocol seemed better…. > - Section 7, consider expanding the XoT in the section title ? It looks weird in the ToC > - section 7.6, perhaps also expand XoT and ADoT in the section title I tried to use acronyms everywhere after the terminology section where they are defined as I believe the RFC editor tends to ask this? So I’ve actually fixed up a couple of places where that wasn’t true… If you think this is a real readability issue for the section headings then we can change them (I’ve used XoT long enough not to think so!) > - section 7.6, §2 "short term,S.S. with regard" typo in S.S. fixed > - section 8, long RTTs are mentioned as a reason to change of preferred primary, but, RTT is only one part of the TCP throughput. Should this be elaborated further ? From my limited knowledge of existing algorithms I believe only the query/response RTT is used (the handshake is not measured), so I’ll clarify that. > - section 8, in " 'parallel primary connection' model" should this be "models” ? No, in this and the previous paragraph we are comparing two different models (unless I missed your point). > - section 9.3.1 " MitM" is not defined and current trend is to replace it with "on path active attacker" (really up to the authors as I do mind) > - section 9.3.3. nits in " client can authentic the” Fixed. > - section 9 and 10, I wonder why section 9 (mechanisms) is not a sub-section of section 10 (I do not really mind though) 9 is the outline of all the possible mechanisms for XFR/XoT, 10 is the specifics of what XoT requires. > - section 11, should there be a "then" in " if AXFRs use AXoT all IXFRs MUST use IXoT” ? fixed > - section 12, the text talks about implementations but I wonder whether the section title should rather be on operations The first two paragraphs are meant as specific notes to implementors, the second 2 are more operations though… I have split them out into a separate sections. > - section 15, should there be a discussion on using simple IP ACL as authentication ? IP spoofing exists ;) Do you mean specifically TCP IP address spoofing for TLS connections? Do you know of a good reference which would be suitable here? A diff to the -08 version with the suggested updates (and a couple more typos fixed) for you to review is here: https://tinyurl.com/329f65yj Best regards Sara.
- [dns-privacy] AD review of draft-ietf-dprive-xfr-… Eric Vyncke (evyncke)
- Re: [dns-privacy] AD review of draft-ietf-dprive-… Sara Dickinson
- Re: [dns-privacy] AD review of draft-ietf-dprive-… Eric Vyncke (evyncke)