IETF Logo Mail Archive

Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing

Paul Hoffman <paul.hoffman@icann.org> Wed, 07 June 2023 23:12 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD73C151525 for <dns-privacy@ietfa.amsl.com>; Wed, 7 Jun 2023 16:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GURa3RXLW9I6 for <dns-privacy@ietfa.amsl.com>; Wed, 7 Jun 2023 16:12:25 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE571C15108D for <dns-privacy@ietf.org>; Wed, 7 Jun 2023 16:12:25 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa4.dc.icann.org (8.17.1.19/8.17.1.19) with ESMTPS id 357NCNw3025355 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 7 Jun 2023 23:12:23 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Wed, 7 Jun 2023 16:12:21 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.1118.026; Wed, 7 Jun 2023 16:12:21 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Philip Homburg <pch-ietf-dprive@u-1.phicoh.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing
Thread-Index: AQHZkAIFa64t/3ey40OqazMThvYUVq99Hf4A//+LIuCAAHi3AIAABMUAgAAOUwCAAGnTAIAAsGwA//+h2FKAAHmKgIAAoxlvgAFysYA=
Date: Wed, 07 Jun 2023 23:12:21 +0000
Message-ID: <E68DAF11-E748-4F3C-AAD3-4E5921B652D9@icann.org>
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> <45ada5a8-b483-dae7-eb56-88411fb2f75c@innovationslab.net> <7a3cd83a-b80d-f00d-b050-0a1d4845146b@innovationslab.net> <D7C916AC-E47D-45FE-9976-188DAE0775EF@icann.org> <CADyWQ+HMj5NH1g_oCTNxYkGDmp2L3EwmMyOv2-bXeXvp5kvm0A@mail.gmail.com> <6B55CCC0-069F-43DD-B9DA-024E4334D6F4@icann.org> <20c5ac1666e4428b8ffa70c7b9e8a19c@verisign.com> <CADyWQ+HJ7ZLWfwxr6vb9HsERMJXuu-1zD_=cr4S+mZ1ieWrYwQ@mail.gmail.com> <0007CDA7-ADD3-43BB-B5D3-3B1810206E0E@icann.org> <8fbed8926b3f4e28b9f3f76a85e0b619@verisign.com> <CANMuhxt5cE--GUtapEL69dFkAFSU5dF3psMCgNRKj8_dXpsFLA@mail.gmail.com> <ABE27A4A-BA96-4505-A3E3-1FE83CAA5A63@icann.org> <m1q6YGM-0000KoC@stereo.hq.phicoh.net> <3B79D45A-1F95-4A4A-9F8D-D3D9C424B4B2@icann.org> <m1q6oAa-0000KqC@stereo.hq.phicoh.net>
In-Reply-To: <m1q6oAa-0000KqC@stereo.hq.phicoh.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <01CB5B7847B90A45AFC9236E27E0F74E@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-07_11,2023-06-07_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/DI0Y0n9kTJnIYdFDEIfdIW0ictU>
Subject: Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 23:12:27 -0000

On Jun 7, 2023, at 1:05 AM, Philip Homburg <pch-ietf-dprive@u-1.phicoh.com> wrote:
> 
>> We still have time to add those known operational considerations.
>> In fact, we should be listing those even if this is an experimental
>> RFC.
> 
> The experiment could just be to gain operational experience. We can be upfront
> that we don't know what will happen, and encourage people to be careful.

That's true with every new protocol from the IETF. It would be good to understand what is different about this protocol for such an experiment.

>> If so, they are not following the draft:
>> 
>> An authoritative server implementing DoT or DoQ MUST authoritatively
>> serve the same zones over all supported transports.  If both DoT
>> and DoQ are offered, a nameserver's reply to a particular query
>> MUST be the same on both transports (with the possible exception
>> of how the TC bit is set).
>> 
>> Which authoritative servers are serving different content on 853,
>> and what are the differences? We should certainly discuss that in
>> the draft.
> 
> Of course they are not following this draft. After all this is just a draft.
> They are following RFC 7858 (DoT) and are running a recursive resolver on
> this port.

Serving from port 853 in RFC 7858 (DoT) only applies to the client-facing side of recursive resolvers. It doesn't apply to authoritative servers at all.

> I don't know if they also have a recursor on port 53, that is very
> well possible. The problem is that they have an authoritative on 53 but not
> on 853.
> 
> The problem is that this draft is essentially updating RFC 7858 without
> explicitly doing so. 

It is not updating RFC 7858 at all. RFC 7858 explicitly applies to the stub resolver and the client-facing side of recursive resolvers. This draft applies to the server-facing side of recursive resolvers and authoritative server. There is zero overlap.

>From your response above, I take it that you don't have any examples of authoritative servers already serving on port 853. Please let me know if that's wrong; if so, please give at least one example.

>> How to reach them: no idea. How to deal with that: it's prohibited
>> with MUST-level language.
> 
> The obvious 'solution' is to move this draft to a new port, because 853 is
> already in use for other traffic.

That was discussed in the WG, and rejected.

> Just adding a MUST that is in conflict with current practice makes for a poor
> standard. If the problem is small, then experimental is fine and we can
> start telling people that they have to stop doing this. 

Again, you haven't shown any current practice of authoritative servers serving on port 853. If you can show that, it would very helpful.

> 
>> Are you talking about authoritative servers or the client-facing
>> side of recursive resolvers? If the latter, that's very clearly
>> out of scope for this document (or any document other than the DoT
>> spec). But if it authoritative servers doing something else on 853,
>> we should certainly cover it.
> 
> Yes, I'm talking about recursive. And that's why I said, the operational
> aspects are not sufficiently discussed. Marking recursive out of scope does
> not help when other recursive resolvers connect to such servers.

This is unclear. If a recursive resolver has an NS record with addresses, when would those addresses ever be the client-facing side of a different resolver?

>> If you have suggestions for what more could be said, we'd be happy
>> to add them. Note that the DNS traffic will not automatically switch
>> to TLS or QUIC: probe traffic will increase. The DNS traffic will
>> only switch if the authoritative server operators turn on the
>> service. The increase in probe traffic is covered throughout the
>> document, but if you think that adding more in a particular place
>> would help reduce negative impacts, please say where and we can
>> add it.
> 
> No, I'm saying it should be experimental because we don't know and should
> experiment. 

Please be specific about what we don't know so that we can be specific in the draft.

> 
>> I don't understand this. All security protocols are optional. The
>> existence of this draft, when it becomes an RFC, does not force
>> any client to use it, just as no resolver is forced to set the DO
>> bit on queries and then interpret the DNSSEC material in the
>> responses.
> 
> Usually, if you say you implement a security standard, it should actually be
> secure if you follow the standard. It is a bad security standard, if the
> standard says that you can stop being secure if you are overloaded. That
> only leads to problems later on.
> 
> What if TLS would say that you can stop encrypting data if you get overloaded.
> People would get very upset.

Ah, OK. You are asking for the non-opportunistic version of this protocol, with authenticated probing and never falling back to using Do53. The WG was not able to get any traction on that idea, despite many attempts.

> 
>> Yep, that's what we are discussing. What criteria would you use to
>> determine the success of the experiment?
> 
> The success of the experiement is that operational issues are documented,
> including operational practices and the feedback of the experiment is
> used in a new draft that is intended to become a standard.

Can you be more specific about "operational issues"? Every new protocol has operational issues. Which are you concerned about here, and can they be measured?

> From https://www.ietf.org/standards/process/informational-vs-experimental/
> 
> "If the IETF may publish something based on this on the standards track once we know how well this one works, it's Experimental. This is the typical case of not being able to decide which protocol is "better" before we have experience of dealing with them from a stable specification. Case in point: "PGM Reliable Transport Protocol Specification" (RFC 3208)"

Earlier in that same document, it says what is an expriemental protocol, and this draft doesn't match that description at all.

> So I think it best to no longer delay this draft, publish it as experimental
> and gain experience in how this actually works.

Without more detail about what you want to observe or measure in this experiment that wouldn't be observed or measured for any normal standard, it's hard to agree with that assessment.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email