IETF Logo Mail Archive

Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-core-dns-over-coap

Ben Schwartz <bemasc@meta.com> Thu, 29 June 2023 21:11 UTC

Return-Path: <prvs=0544667342=bemasc@meta.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10B96C151066; Thu, 29 Jun 2023 14:11:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4jV7bEnlFm8; Thu, 29 Jun 2023 14:11:17 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFC05C14CE4A; Thu, 29 Jun 2023 14:11:16 -0700 (PDT)
Received: from pps.filterd (m0001303.ppops.net [127.0.0.1]) by m0001303.ppops.net (8.17.1.19/8.17.1.19) with ESMTP id 35TKLl3J012955; Thu, 29 Jun 2023 14:10:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=tWmED7V/XN2EfWh21IzYoLkl9spM+ZF9mFXl2w82jLA=; b=cw9Kcvque2aWvAlwg6fVaZwHGVMaVMx3zfY6ixpGAQ/3DpQXyf1Ne2bDLlKBIRKagRtq 7F13w8I/K0r9i38sbdf0ny6vUJfst8/t8ktK99H1pUyH/+vTnFZMUpbt6NNJbaYG/hZU KKwrgMbXtg/GaeXCOpkGnZ9tlqFjfiJZ5PCqkBn577JjWkGfh7mJQkNT0BCJa5zCHx60 +maAZgwh9YaQcwPuPvvKVBpqfyHtbTCYGEf9IL5RhiPghYcSaouXpWqawIvNb9Nx5ihk O5lSeiA3ugOebgbSEW6OiL6pg/5WsPdv/NbyKRyTslyXVcPFwvK9M30UcwJP7luwRkhk 9Q==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by m0001303.ppops.net (PPS) with ESMTPS id 3rhgx28b76-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 29 Jun 2023 14:10:56 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jdixON2rzLZBl9aBrxppqY9luIC67t9+jTWrfkfnMGlkBx5Tbfm5nHHN+tRYgxI6G6POaBs6tsyIFfDBSK3Xalr7wIfBJKL3LiDje7qMwTmHEcL+eL5+xF0+a4hDhfxdnTvuFML1Rbfjz5JyQLsnJNJQq8fIGVv32p4sXAkrwWYRAi3siHbFCHhAby/E3qxsAM1Ok4wrKuRSh9L9afoZRDRCDePeukkiQSDmh+yu+TuB6B9V4sqjus6LE6IWQHe5umSAvzkxLwn8Qsr3jDZfoFeD5aQIkHpoaJfrx+Xk3+lBufXykCpTrGp31q3weVH2fYqaYs2NwXiCOdz4aQDKtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7xeS2e3lfl9FMA+W8cY9+6vUJv/qIMIgR4KwttgVBCg=; b=LhvI8SXF/VMcECUglAQVgJ92lmxrq8tosJBgydrT2rB9YQZG9jGOKs+sz0VwviRCGAlNRSHxZLLc1ViTEo/dnio6fjoObHE5YZq0hJylEjTkw6IU1pkblquOT9QwzMdodZ4QZGZoIphjnCYs0XPhbaXUIn/0F/CUOFFo6Tug8iZxeRk2NxnXu1ZNrfd4KRO5Kw1VyuWNutIYLz7OGlhRD2B3cbA69ehvXdFb4MNtKx2VUO7KvmYVfUGmjU429s3nCaSl8NDjTzIcQ2garaVN5ynr/UvdetTvYRtHBao85O7m291vcB6qZOVI43wIfaVfl/mt6eI3iR3LEcZejISlPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by PH0PR15MB5189.namprd15.prod.outlook.com (2603:10b6:510:14b::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6544.19; Thu, 29 Jun 2023 21:10:54 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::f44a:f5d7:be15:88e1]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::f44a:f5d7:be15:88e1%3]) with mapi id 15.20.6521.024; Thu, 29 Jun 2023 21:10:54 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Martine Sophie Lenders <m.lenders@fu-berlin.de>, "core@ietf.org" <core@ietf.org>
CC: "draft-ietf-core-dns-over-coap@ietf.org" <draft-ietf-core-dns-over-coap@ietf.org>, dnsop <dnsop@ietf.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: [DNSOP] Next steps: draft-ietf-core-dns-over-coap
Thread-Index: AQHZpgphu48D91RiXE6D7WTmX/vYOa+YyVlXgAeDEYCAAgHPrw==
Date: Thu, 29 Jun 2023 21:10:44 +0000
Message-ID: <BN8PR15MB32819C4B4258AF2B14F29BB3B325A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <2490fd32-437d-8182-ec2e-9e5058d9bf5a@fu-berlin.de> <BN8PR15MB3281BDC22008FF7D94076A1CB323A@BN8PR15MB3281.namprd15.prod.outlook.com> <53c93af2-8b37-ad11-f12d-428f47a515ac@fu-berlin.de>
In-Reply-To: <53c93af2-8b37-ad11-f12d-428f47a515ac@fu-berlin.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|PH0PR15MB5189:EE_
x-ms-office365-filtering-correlation-id: 302284e9-db74-4333-c021-08db78e55373
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y2MpqQOWkNFMSPFXPtG78zJncShYhVNZRBvXQJd1n18pQLxT4uUambljRNdS1ZVDeS6HAd9tcnC4Q7y+uIR3SJKiVSYxCfzVS36NcY++BdFb3yp9b4CIb1dxLYTs5z6tNzN63LocUgeYGKQvB2g651cuwcaVIFuNbCwzt1Eh4S+BEu1GkAL8YFcnTV+ceH0+kFO/hcRf/WxqjEoIuzdVRLa6LCVn125AwqC669Ps/2gohVasVQWqcARPCv8iktc9DnrEfNLgn5UxpRlrSkg6XXA20TAxDQ+RW3+3ahmTwNbmry1EHe57CMVxKG4HNmDJ42m9xztHhX+0+zcVAvj7KAIpjxFSjE1vbQD2mMNGtSx2PxDHmWuzDmSeFBrAJPAisyuo54tbfQJnuNoRehcsIgXl+rzDVLQxkdeKSTR84XXxikSCYVoT4kEzHeOlf54FRg/+ePpEnAg3v1gs8R4Irz2OKNOCVDFzviro+Zf3xZWk3Gu9ZmCb/FbG1yjGuFA/oLEnpuN+bOXP1chZLyQ008/21CBNs5/YiJB8bZ/Ht0XZv4gDvKql/MIfvIVGisvNwi/x4+2YCiaoXaxoknxejExK019l+07cY0a9jc4UvNk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(376002)(396003)(136003)(366004)(346002)(84040400005)(451199021)(41300700001)(966005)(316002)(83380400001)(38070700005)(86362001)(186003)(53546011)(52536014)(6506007)(9686003)(2906002)(33656002)(166002)(38100700002)(122000001)(55016003)(5660300002)(8676002)(8936002)(478600001)(71200400001)(110136005)(54906003)(76116006)(66946007)(66556008)(66476007)(66446008)(64756008)(4326008)(91956017)(6666004)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Qy2RMNuPvCnTQOOHpwmNKdXhvJpsSoKi6gfzKX2NGMhZn+dtxgUeiBlxZf+ZDfJYRnrA7FW7G0at1r+hx6qUWH621zu+FUkmlgjE3KxCswbfgVNIUVE3YIUED5lFcTJqxqRNn3zozQhkHSnXon0zBN0JLZqCeaELlD1eKz0C68prxFrJ8ivrbZirk/OKHrHgS/L2JDxTMUZqYLX9QY2tGQsCpF7LXTKCtiBoyH7kSYOUax2s2IyX9GEXqorGbndRitUkdt6pMSv3AWSEfZGANcP0ftr1THNwfFROFhuhd8MigL+586zp6oadNgkDawveniNWe8h0HrWCZ9hwLhawYqwfDIJtUDnant8s+PfLKJBFsewGEAVA2At0WRq1Jg+EQjsunKDUJ/0r25wTp1s9pUKXdr8NA4Ylyvw/jwOKqhHk3+XNjziWfZnzVUprKPbKQZaT5AijG2M0ZiVltcL5FxVQJTVrnawDQE+Se/8Xhz+SCQ5ts994oZ4L3XdNK7dAspayU64B9unuBlO/srOJ1lkBFktSx/F6oE4N2ci+gAvjPvUvbACaFDiV9rqp0grOpf/3qSAIP2czst74YyVIxdAXcKQCiRAaGJF27buex1XOLye1UQJ3fY3m8VgacoHa5nvK2mRzZYgsMZzDY3ioHihW6XIrmFpVzSXIfAGFyXh+HtHIs3pMxwwkv+xTcH7ZbJ5hDCZp0JI2JaJeV8Pp4xz6eBThGhF2mBIassSmbDzEOlpp/xzKyXKXvvCKn+DWuyjyVWKYeZLHUkxzm3AnL/U0JNfCQPOkucptaH6/fR1m7lh9lkhenBfJeR2SNBmfQOpz2xSfMLW4p5dBC/xmuryeXhSWS3ZKmZBGK6n/izOHTxNjrnLMYsUGozLmE1O8ECRAV6YEXpRHfO+7CwfiPRgJhmdrTsYr9L2hLw7jDFJ4/tQo+hSYVLtFsZKxidnMar5aTwsEVhwYQmzt2XakhJf19cwsR0n4wuNAodi0BSu5bm00nv7RKNk36xBCI6hebYu9AYazOS/Ppb2HYcACRKi3qWS1h9k/q6LJ3CNOYrbkN8NRD3893nJQ1JLL+AkjW1EaNXySr8klawwO+jtO/V3J1QfXtW9qSCfKAUEORDMBsyW11/PP0yuwYCLqtKwGg5+wo+UMbFoZR/bvZ7jIrGOjefup/+vYLEVFUrUaRM7HOClt1W5HiBOVit9jrO1ca2cf/t/Olm3EhA5LY/oN507gUsWcaWoNqFqRiP8gLIfWViPAwq1CqA9/nFAPo/fRLksDZW0Od5A5BDkvZuNTWJiDAEQm6hmxam8msIGqJ8vSeoX8rDlUD8oaodqC8qh2ETYr5i0KW+SSXgCdBFKc4BpibFFt2h3DJ2c1BkH7M0jcFzz0AK/NDozf3MuSxrFGD44IMzJuYgV06mt2KnJJRx3ygkxFcE1Q/9VYoDlBFcwBBOV7Px6rZiVX/+AFdDtwxcI/W9A9XT6PkPX4heDse//EsovKXO4da2T3N4MsareIzA5WD2ygKxAmQzby/c/S5UjUI4a5xryB60yflXVTLsnPgE4XPOP5cJ+tiWWSKFIF7Bi/gDHnoZOM7UwUbNbSxWbW64L97t+YZI71qOhDkA==
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32819C4B4258AF2B14F29BB3B325ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 302284e9-db74-4333-c021-08db78e55373
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2023 21:10:54.5385 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0UDVDVIhKgBiGWujU+A774QFgcU8QMMUYxNjkyB7nKh5pBAD11LTrFGYdU3vAVv+
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR15MB5189
X-Proofpoint-ORIG-GUID: vtfc2q5SjouREMJ4HLyoNzKWhgzUTLC6
X-Proofpoint-GUID: vtfc2q5SjouREMJ4HLyoNzKWhgzUTLC6
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-06-29_08,2023-06-27_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/9OGC3tbCOImmoerk16w9EGSl-EM>
Subject: Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-core-dns-over-coap
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 21:11:21 -0000


On 6/28/23, 10:24 AM, "Martine Sophie Lenders" <m.lenders@fu-berlin.de> wrote:
Hi Ben,

On 23.06.23 22:23, Ben Schwartz wrote:
> I think it would be helpful if this document were more explicit about
> its motivation.  In my view, the underlying motivation for this draft is
> to enable seamless management of DNS service within a CoAP-centered
> deployment, by sharing key distribution, access controls, monitoring,
> etc.  The draft claims various performance benefits from DoC, but these
> are unproven and seem unlikely to be significant.

We have a paper on the performance benefits just accepted for CoNEXT,
which we will cite once it is published. An early pre-print (the final
paper underwent some major revisions though) is available on arXiv [5].

This paper appears to be focused on DNS performance, but DNS is usually only a small component of overall system performance.

BTW, this reminds me that referring to OSCORE as “end-to-end” in this context is confusing, since the logical “endpoints” are the stub resolver and the authoritative nameserver.

> ...
>
>     For our document, I think we
>     need at least confirmation or decline that the "coap" ALPN could be
>     used
>     for DTLS, SVCB for OSCORE/EDHOC, I think is out of scope at the moment
>     anyways.
>
> I'm not sure I follow, but using the same ALPN for multiple transports
> renders that ALPN permanently incompatible with SVCB.  I recommend
> keeping "coap" for TLS/TCP only, and defining a new ALPN ID for CoAP/DTLS.

That makes things clearer for us. In the next version we will word the
draft in accordance to that: only the "coap" is ALPN for TLS/TCP is
available at the moment. For DTLS and OSCORE alternative approaches need
to be created (see [1] and [2] in my original mail) which are, however,
out of scope of the DoC document, in my opinion.

That’s fine with me.

>     Furthermore, there is still an open question, if DoC can or should be
>     translated at a CoAP-HTTP proxy to DoH. Namely, how the FETCH that DoC
>     uses should be translated into the POST/GET of DoH [3].
>
> I don't think there is any need to specify this.  A DoC server could act
> as a forwarder to an upstream using DoH, DoQ, etc. in accordance with
> the relevant standards, without impacting its compliance as a DoC server.
>
> However, this does resemble a concern I've previously raised: the draft
> does not explain why it is necessary to define a new DoC mechanism,
> rather than simply forwarding RFC 8484 DoH through a CoAP-HTTP proxy.

This question was raised in reaction to your concern, actually. Note,
that if a proxy is used, the target resource needs to be mentioned in
the CoAP header, increasing the overall packet size, so a proxy should
be kept optional. Forwarding DoH through a C-H-proxy would make the
proxy mandatory. In addition, DoC is greatly benefiting from its usage
of the CoAP-only FETCH method (see [5]).

I think this explanation should be included in the draft.

The question is more a CoRE question, I think. RFC 8132 does not really
specify, how FETCH should be translated via a C-H-proxy, so I assume it
to be use-case dependent. Should the draft specify this for the DoC use
case, and if yes which method should be used, or should the DoC server
just act as a recursive resolver, using DoH towards the DNS infrastructure?

The DNS protocol is role-independent, so a DoC server could (in principle) be a recursive resolver, a forwarder, or an authoritative nameserver.  If it is a forwarder, it could use DoH, DoC, or any other transport of its choice to reach its upstream resolver.

Best
Martine

[5] https://arxiv.org/abs/2207.07486

v2.23.0 | Report a Bug | By Email