Re: [dns-privacy] Ben Campbell's Yes on draft-ietf-dprive-dtls-and-tls-profiles-09: (with COMMENT)
Ben Campbell <ben@nostrum.com> Thu, 11 May 2017 14:11 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0D7131490; Thu, 11 May 2017 07:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.881
X-Spam-Level:
X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kaVCnnwLESqp; Thu, 11 May 2017 07:11:35 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DA7512EC7F; Thu, 11 May 2017 07:05:36 -0700 (PDT)
Received: from [10.0.1.63] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v4BE5WP1028011 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 11 May 2017 09:05:33 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.63]
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <1EFFE62A-A7A1-4A7E-B19C-88A400F0618D@sinodun.com>
Date: Thu, 11 May 2017 09:05:34 -0500
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dtls-and-tls-profiles@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <51A0FD46-9EE8-480E-9848-2EE09E3D5C2E@nostrum.com>
References: <149445288162.16739.870078352991642154.idtracker@ietfa.amsl.com> <1EFFE62A-A7A1-4A7E-B19C-88A400F0618D@sinodun.com>
To: Sara Dickinson <sara@sinodun.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/92nmyIOyn-kYMPoP7rXzQFl4Xa0>
Subject: Re: [dns-privacy] Ben Campbell's Yes on draft-ietf-dprive-dtls-and-tls-profiles-09: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 14:11:43 -0000
> On May 11, 2017, at 7:12 AM, Sara Dickinson <sara@sinodun.com> wrote: > > >> On 10 May 2017, at 22:48, Ben Campbell <ben@nostrum.com> wrote: >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I'm balloting "yes", but I do have some comments: >> >> Substantive: >> >> 5: "Clients using Opportunistic Privacy SHOULD try for the best >> case..." >> When might it be reasonable _not_ to try for the best case? (That is, why >> not MUST)? > > If latency is a greater concern than privacy. For example if a client has 5 Privacy servers configured a MUST would require it to attempt to obtain an authenticated, encrypted connection to all 5 before falling back to using an unauthenticated, encrypted connection to the first one. There is some text on this in Appendix A. Thanks, that helps. A few words about that near the SHOULD would be helpful. > >> >> 5.1: What's a reasonable granularity for the profile selection? The text >> suggests that decision is on a per-query basis; is that the intent? I >> assume you don't expect a user to make a decision for each query. > > No, it is expected that the client sets the desired Profile and uses it for all queries until that setting is changed. The intent of this text was to clarify that the granularity should not be less than query level. Maybe it would help to add some text “It is anticipated that clients will use a particular Usage Profile for all queries until an operational issue or policy update dictates a change in the profile used”? I think that would help. > >> >> 6.5: The statement that a client using OP "MAY" try to authenticate seems >> inconsistent with the "SHOULD try for the best case" statement in S5. >> (But seem my comment above about that.) > > You’re right it does seem inconsistent. It seems better to switch the MAY here to SHOULD? That seems reasonable to me. > >> >> 13.2: [I-D.ietf-dprive-dnsodtls] is referenced using 2119 keywords, so it >> should be a normative reference. (Note that this would be a downref.) > > It was caught in another review that this document is now an RFC. I’m not sure that changes my comment. It still needs to be a normative reference, and I assume the RFC is still experimental? > >> >> Editorial: >> >> 2: "MUST implement DNS-over-TLS [RFC7858] and MAY implement DNS- >> over-DTLS [I-D.ietf-dprive-dnsodtls]." >> Unless these are new-to-this-draft requirements, please use descriptive >> (non-2119) language. (Especially in a definition). > > The definition of a Privacy-enabling DNS Server is new to this draft which is why it seemed correct to use those terms. Do you think it would be better to move that description/definition to the introduction? I would suggest leaving it where it is, but making a change along the following lines “A DNS server that implements DNS-over-TLS and may optionally implement DNS-over-DTLS.”, and state the normative bits elsewhere. > >> >> 5: "Strict Privacy provides the strongest privacy guarantees and >> therefore SHOULD always be implemented in DNS clients along with >> Opportunistic Privacy." >> >> Does that mean "SHOULD implement both strict and opportunistic privacy" >> or "If you implement opportunistic you SHOULD also implement strict?” > > Good question. The second one. Replace with: > > “ Strict Privacy provides the strongest privacy guarantees and > therefore SHOULD always be implemented in DNS clients that implement > Opportunistic Privacy.” Looks good to me. > >> >> 6.2: Should list item "2" be "ADN+IP", like in the table? > > The 'Short name’ in used in the listing, the one given in the last column of the table. > Okay. >> >> 11: Is "SHOULD consider implementing" different than "SHOULD implement”? > > No, I don’t think so :-) Propose it is changed to “SHOULD implement”. Looks good to me. Thanks! Ben.
- [dns-privacy] Ben Campbell's Yes on draft-ietf-dp… Ben Campbell
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Sara Dickinson
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Ben Campbell