[dns-privacy] Erik Kline's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)

Erik Kline via Datatracker <noreply@ietf.org> Sat, 16 September 2023 06:03 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dns-privacy@ietf.org
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F97DC14CEFD; Fri, 15 Sep 2023 23:03:37 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Erik Kline via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dprive-unilateral-probing@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, brian@innovationslab.net, tjw.ietf@gmail.com, brian@innovationslab.net
X-Test-IDTracker: no
X-IETF-IDTracker: 11.11.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Erik Kline <ek.ietf@gmail.com>
Message-ID: <169484421725.20540.17499988491702390674@ietfa.amsl.com>
Date: Fri, 15 Sep 2023 23:03:37 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/CGEO65TyKCTUdHPBZKWLxD3RXms>
Subject: [dns-privacy] Erik Kline's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Sep 2023 06:03:37 -0000

Erik Kline has entered the following ballot position for
draft-ietf-dprive-unilateral-probing-12: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

# Internet AD comments for draft-ietf-dprive-unilateral-probing-12
CC @ekline

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

### S3.1

* A 3rd option for a pool operator is to use a load-balancer that forwards
  queries/connections on encrypted transports to only those members of the
  pool known (e.g. via monitoring) to support the given encrypted transport.

### S4.2

* There is no "port closed" ICMP message.  There is a Port Unreachable code
  under the Destination Unreachable type category.

* The IP addresses given are not "two A records" but rather the values that
  might appear in an A Resource Resource and AAAA Resource Record.

### S4.4

* The use of lowercase "must" for the ALPN strings seems a bit odd.

  Should this section say that the ALPN is a "MUST"?  It could perhaps be
  reworded to say something like "... and if an APLN is included it MUST be
  <the_thing>".

### S4.6.3 or S8

* I think a very important caveat here is when a node running its own
  recursive resolver has just joined a network and not yet completed any
  captive portal probes.  Initiating encrypted transport connections prior
  to satisfying the captive portal testing stage could have negative
  consequences (especially given the MUST in S4.6.3.4).

  Whether the state of the captive portal check(s) can be known by the
  recursive resolver function or not is an implementation-specific matter.

  Yes, this really only applies to recursive resolvers running on mobile
  devices, but some devices can actually do this.