Re: [dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)

Allison Mankin <amankin@salesforce.com> Mon, 03 May 2021 19:32 UTC

Return-Path: <amankin@salesforce.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128303A0AF7 for <dns-privacy@ietfa.amsl.com>; Mon, 3 May 2021 12:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=salesforce.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lHY173qzQZoJ for <dns-privacy@ietfa.amsl.com>; Mon, 3 May 2021 12:32:51 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E49AC3A0AF4 for <dns-privacy@ietf.org>; Mon, 3 May 2021 12:32:50 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id j20so4512444ilo.10 for <dns-privacy@ietf.org>; Mon, 03 May 2021 12:32:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salesforce.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kW/38SwDejRG5xmJo3mZR5ml8f+M5UCQTRFjwYIrsbQ=; b=ZIZyGquCj0R1nEMvZWuHavnUZzFaRunG/3fQrYpPUWKBj7sSM4i/UZIsYia7JpQzm0 vTLnfFZ3HsVXDCxGv83RmgLJFFn3lEnVXWX9eWNnxMA4cKPvAx5G8FksguDQFOjLg/U4 5L+6/DX1gTwsBPSbLBuCgS4PM4+Yd+GCTdteY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kW/38SwDejRG5xmJo3mZR5ml8f+M5UCQTRFjwYIrsbQ=; b=pF68XbO6jq9ZcxGBLAdELoBqYli9PnMFG75D+UIxSYLjUKSqYaq4sze2bHDzMf11KD LM8l7g6Vobx8eF2JlwySz00Ou0D/oad218uHggo92Xr9FOa9/+8IDjhjamYDrPf5lW9H Qdswfib15D8Knms9Wgfv46w+hAK0zPNtrMPsFG3IovoGv4pCY8TkvGm0/ik0vzE4YqQY f2euZGgxIRtXvf+X5Sdw3S8SdoLSOZOQt/N2dve9uWhe+iwGAo2KLkunB16Hg5m9qdsl kUzJe9Le2DtYfxje8fQ7kyl5DZQ5VcLYuZgl1Bq3BEWVgce1QzEC6ljWBNdZZy9yPvMM YAPQ==
X-Gm-Message-State: AOAM532ujQTTZvtNByeVcdTdjv3gvTAm0dnmcdPdIO3O7MOalb+UcM0R ojegUWC8BWKksLZSaxuGQqpTYuQMKII2mU1hxc0oAg==
X-Google-Smtp-Source: ABdhPJyQK5/uhQWWNBA1XzLItaVgmlfWwX0GbSQ1fVH7Di7uQgoN0VeLhZic47Ii9SvgPAF4IMpKtua6yiu6zHR51l0=
X-Received: by 2002:a92:3212:: with SMTP id z18mr17174973ile.171.1620070369181; Mon, 03 May 2021 12:32:49 -0700 (PDT)
MIME-Version: 1.0
References: <162006706040.3639.6179900042922096790@ietfa.amsl.com>
In-Reply-To: <162006706040.3639.6179900042922096790@ietfa.amsl.com>
From: Allison Mankin <amankin@salesforce.com>
Date: Mon, 3 May 2021 15:32:13 -0400
Message-ID: <CALUxDspOEaSGnUdhh2ASFp6wOc66pdEy+kdRQudgw0EG-C3K9Q@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: The IESG <iesg@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, dns-privacy@ietf.org, draft-ietf-dprive-xfr-over-tls@ietf.org, dprive-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ddf1db05c17206ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/HaQ7SO8Ma9TW3v0Wrh18LD6BNy8>
Subject: Re: [dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 19:32:56 -0000

Hi, Martin,

Sara is out of the office for a day or two, so I will jump in.  We do not
object to using an ALPN code for DoT, and indeed, the message that ALPN
should not distinguish between DoT and XoT drowned out the more important
message that ALPN for DoT had to be there.  A miss by the earlier reviewers.

Allison


Allison Mankin, Principal Architect, DNS-AEO Cloud Leader | Salesforce




On Mon, May 3, 2021 at 2:37 PM Martin Duke via Datatracker <noreply@ietf.org>
wrote:

> Martin Duke has entered the following ballot position for
> draft-ietf-dprive-xfr-over-tls-11: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> In further discussions it became clear that the authors do not intend for
> XoT
> traffic to use an ALPN code at all. I'm afraid this may be a
> misunderstanding
> of previous guidance from TLS that XoT did not need its own ALPN code, but
> could simply use the DoT ALPN since the messages are distinguishable on the
> wire.
>
> To not use an ALPN at all violates best TLS practice. The reasoning given
> in
> Appendix A, that this creates difficulty for proxies, doesn't make sense
> to me.
> We can talk about it in the telechat.
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> - There ought to be a warning somewhere that mTLS verifies that the CA has
> verified identity, while IP ACLs merely prove that the bearer can observe
> the
> path to the address. The former is much stronger than the latter, unless
> there
> are more mechanisms built into the ACL than are obvious from the text here.
>
>
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>