[dns-privacy] RFC7626 and risk/threat analysis

Jim Reid <jim@rfc1035.com> Thu, 01 April 2021 20:08 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0D66A3A218D for <dns-privacy@ietfa.amsl.com>; Thu, 1 Apr 2021 13:08:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ujcwvxvLiVkn for <dns-privacy@ietfa.amsl.com>; Thu, 1 Apr 2021 13:08:50 -0700 (PDT)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B55CB3A2190 for <dns-privacy@ietf.org>; Thu, 1 Apr 2021 13:08:50 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id AD7902420C28; Thu, 1 Apr 2021 20:08:46 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <20210401130438.GC10236@nic.fr>
Date: Thu, 1 Apr 2021 21:08:44 +0100
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <ECF0208E-5433-46FE-8F91-89323DE06CD2@rfc1035.com>
References: <96c2475d-ad93-a442-2003-db6f8782e450@cs.tcd.ie> <CAMGpriXdU7_mJh8CQvSiZGQaDUD9aZF=0iYu0yKBS06khAHgng@mail.gmail.com> <4094551f-4b39-a996-f12f-8c5317c4fe21@nic.cz> <20210331092449.GD10597@nic.fr> <cefd04bf-8685-1894-ef3a-b61ce6a37167@innovationslab.net> <155BAF8D-9F65-4C5C-9EB1-58EFD70827B5@rfc1035.com> <c1ae3401-2565-016b-7acc-4891d0bde067@cs.tcd.ie> <a8eacd5988df461c9ec3c858dd426bb7@verisign.com> <20210331130534.GA28113@nic.fr> <514BEB95-A207-482B-88FA-D420EE66A152@rfc1035.com> <20210401130438.GC10236@nic.fr>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/IbZBls6AP_IxrM4vn1l8e1wUYqg>
Subject: [dns-privacy] RFC7626 and risk/threat analysis
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 20:08:55 -0000

> On 1 Apr 2021, at 14:04, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> RFC 793 is 39 years old. Let's drop TCP and move to QUIC (the RFCs are
> in the RCF-EDITOR state).
> And I'm too charitable to mention the age of DNS RFCs

You should be above whatabootery* Stephane.

>> Some other risks have changed since 2015 too.
> Please be specific and mention them.

I already did. But here goes again. DoT hadn’t been standardised by then. DoH hadn’t even been invented. Nobody had talked in detail about DoT or other encrypted transports to authoritative servers. [IIRC the initial focus of DoT was stub to resolver traffic.] and the other all-fours resolver services didn’t exist. There wasn’t the prospect of the world’s web browsers doing DoH lookups (and to third-party resolvers in some cases) instead of Do53. There’s now significant disruption to how DNS lookups get performed -- ie more centralisation and consolidation -- which introduce new risks, threats and privacy considerations.

It looks to me the DNS landscape has changed a lot since RFC7626 was published. So the threats and risks have changed too. YMMV.

Besides if RFC7626 hadn’t been OBE, there wouldn’t be an RFC7626-bis. RFC7626 doesn’t mention encrypted transports at all. RFC7626-bis does.

* A Scottish word for raising non-sequiturs: what about...