IETF Logo Mail Archive

Re: [dns-privacy] Call For Adoption: draft-wing-dprive-dnsodtls

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 22 May 2015 18:42 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 956721A86FC for <dns-privacy@ietfa.amsl.com>; Fri, 22 May 2015 11:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmTNn9BzBUpU for <dns-privacy@ietfa.amsl.com>; Fri, 22 May 2015 11:42:38 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 71FBF1A8700 for <dns-privacy@ietf.org>; Fri, 22 May 2015 11:42:38 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 2FC0AF984; Fri, 22 May 2015 14:42:34 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 247192001C; Fri, 22 May 2015 14:42:12 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Tim Wicinski <tjw.ietf@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <555C942F.2090007@gmail.com>
References: <555C942F.2090007@gmail.com>
User-Agent: Notmuch/0.20~rc1 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Fri, 22 May 2015 14:42:12 -0400
Message-ID: <871ti8pi7v.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/Alolkk5ZXqGngynEm7MkvtZKK4o>
Subject: Re: [dns-privacy] Call For Adoption: draft-wing-dprive-dnsodtls
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 18:42:41 -0000

On Wed 2015-05-20 10:03:27 -0400, Tim Wicinski wrote:
> During the previous Call for Adoption a number of participants expressed 
> interest in adopting this work.  WG members felt it needed some 
> improvements, but thought it had potential. The authors addressed the 
> issues and feel it meets what the working group was seeking, and have 
> requested that we initiate a call for adoption.
>
> If the working group adopts this document, it only means it wishes to 
> study this solution more carefully.  The working group may still 
> determine to not move forward with it.
>
> The draft is available here: 
> https://datatracker.ietf.org/doc/draft-wing-dprive-dnsodtls/

I support the WG adopting this document for consideration.

I'm willing to review.

Looking at -01 of the draft:

 Section 3.2:

   Verifying the server certificate based on fingerprint needs to be
   spelled out more clearly (what exactly is fingerprinted, how it is
   fingerprinted).  But i don't think we should be fingerprinting the
   certificate itself at all in this case.  I think we should be
   fingerprinting the subject's public key.  The folks working on HTTP
   Public Key Pinning (HPKP) already went through this discussion, and
   settled on pinning public keys instead of certificates for good
   reason: in the pinning case, we want to make sure that we're looking
   at the same public key, not about the identity material wrapped
   around it in the cert.  (this also allows them to work with
   oob-pubkeys, as you recommend in section 7)


 Section 3.3:

   This section seems to bundle assumptions about DHCP information and
   system configuration all together ("an implementation will
   attempt"). I think we should separate those considerations, and make
   it clearer that this section is not a normative set of guidelines,
   but rather a description of common behaviors and choices.

Section 7:

   "amoritized" should be "amortized".  I'm not convinced by the NOT
   RECOMMENDED in this section. Especially as the root zone expands, it
   doesn't look all that much different than any other busy
   authoritative nameserver.  This sort of SHOULD NOT ought to be backed
   up by hard data, or some sort of operational characteristics (X
   number of clients, each querying Y times per day, or something), or
   else it looks like it would apply to all authoritative nameservers.
   I understand that we want dprive to focus first on the stub->resolver
   link, but i don't think we should shoot down using DNSSoD on
   resolver->authoritative links without more consideration.

Regards,

        --dkg

v2.23.0 | Report a Bug | By Email