Re: [dns-privacy] I-D Action: draft-ietf-dprive-unilateral-probing-05.txt
"libor.peltan" <libor.peltan@nic.cz> Wed, 22 March 2023 20:30 UTC
Return-Path: <libor.peltan@nic.cz>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C08C14CE30 for <dns-privacy@ietfa.amsl.com>; Wed, 22 Mar 2023 13:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5ebv8KTFImJ for <dns-privacy@ietfa.amsl.com>; Wed, 22 Mar 2023 13:30:17 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27FBAC14CEFC for <dns-privacy@ietf.org>; Wed, 22 Mar 2023 13:30:16 -0700 (PDT)
Received: from [192.168.88.252] (ip-217-030-074-194.aim-net.cz [217.30.74.194]) by mail.nic.cz (Postfix) with ESMTPSA id EA7B61C0A8F for <dns-privacy@ietf.org>; Wed, 22 Mar 2023 21:30:12 +0100 (CET)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=libor.peltan@nic.cz smtp.mailfrom=libor.peltan@nic.cz
Message-ID: <21773a06-c64e-b092-95bd-c816b4a5da52@nic.cz>
Date: Wed, 22 Mar 2023 21:30:09 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
To: dns-privacy@ietf.org
References: <167786725073.46820.15663590120057640951@ietfa.amsl.com>
Content-Language: en-US
From: "libor.peltan" <libor.peltan@nic.cz>
In-Reply-To: <167786725073.46820.15663590120057640951@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.103.7 at mail
X-Virus-Status: Clean
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: EA7B61C0A8F
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.10 / 20.00]; BAYES_HAM(-5.00)[100.00%]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:48574, ipnet:217.30.64.0/20, country:CZ]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[]; NEURAL_HAM(-0.00)[-0.951]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Action: no action
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/8aG1Ag7-E2Mz6iNb2LXlc8fBGYI>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-unilateral-probing-05.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 20:30:21 -0000
Hi, I generally like the idea of this draft and unilateral probing strategy. I just have a (possibly dumb) question. ``` An authoritative server SHOULD implement and deploy DNS-over-TLS (DoT) on TCP port 853. An authoritative server SHOULD implement and deploy DNS-over-QUIC (DoQ) on UDP port 853. ``` To those normative (or normatively-looking) sentences really encourage (once the draft becomes possibly an RFC) every authoritative server in the world to implement DoT and DoQ (with a SHOULD)? I would be afraid of opening various attack vectors (mainly, but not exclusively DoS), that could threaten also the old-school Do53 service running on the same servers. Another comment: AFAIK in all practical aspects, DoQ is equal or better than DoT. The only advantage of DoT I know about is its maturity and better available tooling. However, given how slowly the progres in DPRIVE goes, this might change. Won't it be pointless to encourage the DNS world to using DoT at all, when the actual migration path will be directly Do53->DoQ ? Thanks for considering, Libor Dne 03. 03. 23 v 19:14 internet-drafts@ietf.org napsal(a): > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This Internet-Draft is a work item of the DNS PRIVate Exchange WG of the IETF. > > Title : Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS > Authors : Daniel Kahn Gillmor > Joey Salazar > Paul Hoffman > Filename : draft-ietf-dprive-unilateral-probing-05.txt > Pages : 30 > Date : 2023-03-03 > > Abstract: > This document sets out steps that DNS servers (recursive resolvers > and authoritative servers) can take unilaterally (without any > coordination with other peers) to defend DNS query privacy against a > passive network monitor. The steps in this document can be defeated > by an active attacker, but should be simpler and less risky to deploy > than more powerful defenses. > > The goal of this document is to simplify and speed deployment of > opportunistic encrypted transport in the recursive-to-authoritative > hop of the DNS ecosystem. With wider easy deployment of the > underlying transport on an opportunistic basis, we hope to facilitate > the future specification of stronger cryptographic protections > against more powerful attacks. > > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-unilateral-probing-05 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dprive-unilateral-probing-05 > > > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts > > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] I-D Action: draft-ietf-dprive-unila… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… libor.peltan