[dns-privacy] Roman Danyliw's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 04 May 2021 21:44 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dns-privacy@ietf.org
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB4A3A1589; Tue, 4 May 2021 14:44:03 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-dprive-xfr-over-tls@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.28.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <162016464323.21297.9629553981279271609@ietfa.amsl.com>
Date: Tue, 04 May 2021 14:44:03 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/AvCfMRiI0hKuZgPRWdRjZBE_VBA>
Subject: [dns-privacy] Roman Danyliw's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2021 21:44:04 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-dprive-xfr-over-tls-11: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Section 1.  s/can make reconnaissance trivial/can make reconnaissance and
attack targeting easier/

Section 1.  Per “… zone walking is now possible with NSEC3 due to
crypto-breaking advances”, a reference here would be helpful.

Section 1.  As far as I can tell the work on draft-vcelak-nsec5 has not been
adopted and the draft is expired.  Perhaps this should be signaled via s/This
has prompted further work on an alternative mechanism/This promoted work on an
alternative mechanism/

Section 1.  Per “It is noted that in all of the common open source
implementations …”, as this is a point in time assessment, it would be helpful
to at least mention parenthetically the implementations/version numbers
assessed informally for this conclusion.

Section 1.  Editorial.  “… must cater for accepting …” doesn’t parse for me.

Section 4.

   The threat model does not, however, consider the existence of a zone,
   the act of zone transfer between two entities, nor the identities of
   the nameservers hosting a zone

To further document the assumptions, consider adding that this threat model
doesn’t consider/protect the mechanisms to decide on triggering the zone
transfer (e.g., protecting NOTIFY messages from an active attacker)

Section 6.2.  Per “However it is noted that most widely used open source
authoritative nameserver implementations (including both [BIND] and [NSD]) do
IXFR using TCP by default in their latest releases”, as this document ages,
“latest release” may not be meaningful.  Consider providing a version number
for [BIND] and [NSD].

Section 8.4 and 10.4.  As already mentioned by Martin and John -- It seems like
a strong statement to say that IP ACLs are in the same class of “channel
authentication” as mTLS.

Section 8.8.1.  It’s difficult to assess how effective this notional padding
approach would be for providing traffic analysis protection.  A few thoughts on
the existing text realizing the details are out of scope:

-- Does padding for AXoT need to be coordinated with the padding on IXoT?

-- Is keeping state required to ensure that padding provides the appropriate
obfuscation over time?