IETF Logo Mail Archive

Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing

"Hollenbeck, Scott" <shollenbeck@verisign.com> Mon, 20 March 2023 12:32 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B575C13AE21 for <dns-privacy@ietfa.amsl.com>; Mon, 20 Mar 2023 05:32:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pend606xss_e for <dns-privacy@ietfa.amsl.com>; Mon, 20 Mar 2023 05:32:46 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27758C15EB2E for <dns-privacy@ietf.org>; Mon, 20 Mar 2023 05:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6068; q=dns/txt; s=VRSN; t=1679315567; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=8tClTVLqM2b+MeGYncj/PpPSvMHIjkLnGPxXN4Fr8pw=; b=Sv62vghEKr8TpKJTKa3//3kYpIHUiH832jGxLJJFdh3m0oCh+cLDHtQZ lP35PFpVyage4+VT17AB+Nbjbv/Sn9Od9lFJxhTHBiDF9tx0Qp9CWBe7E BeDZjP0nOePWhs4k4zrVxho50lR/AZm1HIfRAtsell0fLocAIkvazptXB ZIW6n9Qlngv5fHrIbmAJ0EyBQy/SJsiBp1NY8b9005YJoTziJ4hHsjWsM PB80XduK4Y40+fkoEb93Y4OBLXjUy4hL8/85LT7e1nWJ5JRRG0KxCJ5Wq J2k4zpif3nNO81V3q1hCtS0bHMdBZ1BPAYBhmcgAlG+7mp2f2D4TNvBcY Q==;
IronPort-Data: A9a23:9syRLaL2QVuIojHCFE+RopQlxSXFcZb7ZxGr2PjKsXjdYENS02cCz jdMDG3SM/eJNmrzKNxxat61oUkFsZfdnNNqTAZorCE8RH908seUXt7xwmUcnc+xBpaaEB84t ZV2hv3odp1coqr0/0/1WlTZhSAgk/vOHtIQMcacUghpXwhoVSw9vhxqnu89k+ZAjMOwa++3k YqaT/b3ZRn0i1aYDkpOs/jY8Eg27ayo0N8llgdWic5j7Qe2e0Y9Ucp3yZGZdxPQXoRSF+imc OfPpJnRErTxpkpF5nuNy94XQ2VSKlLgFVHmZkl+AsBOtiN/Shkaic7XAtJHMBsK1G/Z9zxG4 I4lWZSYEW/FN4WSwLhNC0Ew/ytWZcWq85efSZSzXFD6I+QrvBIAzt03ZHzaM7H09c5sLmBhz toGdgkUQQ+b1t6a6oi9crdj05FLwMnDZOvzu1lK9xeAMtALcciaBbvB4sVAmj48wN5UBvCYb M0cAdZtRE2YJUQQYRFOVcl4wLfAanrXKlW0rHqOpa0z52XVxgF605DzPcDUYd2FQ4NemUPwS mfupTypUkpLa433JTytylOvluHmhxzAXKkPSYzop/xrjHCi2TlGYPERfR7hyRWjsWa0QdNWL WQV/Cwps6Eu9UutVd30VVu+rWLslhIaQJ9ICewk4Qqc4qvZ/wjfAXILJgOtc/QsrslvWjonx gfQ2sj3H3pqsabQQ3Xb/K2S9HWsIzMTa2QFYEfoUDc43jUqm6lr5jqnczqpOPfdYgHdcd0o/ w23kQ==
IronPort-HdrOrdr: A9a23:GrbS1qyBgatn/mQow29UKrPw8b1zdoMgy1knxilNoHtuA6mlfq GV7ZYmPHDP6Ar5NEtPpTniAsa9qBrnnPZICOIqTNSftWfd2VeAHcVN4Yzv2DX8FyC73f4178 tdWpk7LNHrF1B1gYLZ7BnQKbwd6ejC1Kyzn+/RwzNWUAdwZ8hbgjtREAqBDUFsfgVACKc4EJ b03KF6mwY=
X-IronPort-AV: E=Sophos;i="5.98,274,1673913600"; d="scan'208";a="20883979"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.21; Mon, 20 Mar 2023 08:32:44 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2507.021; Mon, 20 Mar 2023 08:32:44 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "brian@innovationslab.net" <brian@innovationslab.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [EXTERNAL] [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
Thread-Index: AQHZVPliHXDm8kwSnUSBQMGdOPrlqq8Doy3Q
Date: Mon, 20 Mar 2023 12:32:44 +0000
Message-ID: <a0df591f17a74ee69a1a4f440dd08597@verisign.com>
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net>
In-Reply-To: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/NM3Jf1htBmy_zb-ZTyEDM8YpGpQ>
Subject: Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2023 12:32:50 -0000

> -----Original Message-----
> From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Brian
> Haberman
> Sent: Sunday, March 12, 2023 11:43 AM
> To: dns-privacy@ietf.org
> Subject: [EXTERNAL] [dns-privacy] WGLC : 
> draft-ietf-dprive-unilateral-probing
>
> All,
>       This starts a 2-week WGLC for
> draft-ietf-dprive-unilateral-probing-05. This call is to determine if the
> document is sufficiently complete to facilitate implementations and
> interoperability testing. Once that determination is made, the chairs will 
> park
> this document in the datatracker with a state of "Waiting for 
> Implementation"
> and we will await for the requested implementations and interoperability
> reports.

[SAH] The operational practices described in the draft are, I believe, 
complete. They are, however, based on two normative references that are 
incomplete, or potentially incomplete, for the purpose of 
recursive-to-authoritative encryption. As I noted on-list previously, RFC 7858 
(DoT) explicitly notes that it "focuses on securing stub-to-recursive traffic, 
as per the charter of the DPRIVE Working Group.  It does not prevent future 
applications of the protocol to recursive-to-authoritative traffic" and that 
"It might work equally between recursive clients and authoritative servers". 
Section 5.1 of RFC 9250 (DoQ) explicitly notes that "For the recursive to 
authoritative scenario, authentication requirements are unspecified at the 
time of writing and are the subject of ongoing work in the DPRIVE WG". 
Implementations of this draft could help identify the unknowns in RFC 7858 and 
RFC 9250. I support the research and experimentation effort needed to address 
those unknowns, and I will suggest again that the draft should include text to 
explicitly acknowledge the limitations that are plainly described in both 
RFCs. The draft could note these limitations in Section 2.2 by changing the 
first paragraph from this:

"Although this document focuses specifically on strategies used by DNS 
servers, it does not go into detail on the specific protocols used because 
those protocols, in particular DoT and DoQ, are described in other documents."

To this, or something similar:

"Although this document focuses specifically on strategies used by DNS 
servers, it does not go into detail on the specific protocols used because 
those protocols, in particular DoT and DoQ, are described in other documents.
DoT explicitly notes that it "focuses on securing stub-to-recursive traffic, 
as per the charter of the DPRIVE Working Group.  It does not prevent future 
applications of the protocol to recursive-to-authoritative traffic" and that 
"It might work equally between recursive clients and authoritative servers".
Section 5.1 of DoQ explicitly notes that "For the recursive to authoritative 
scenario, authentication requirements are unspecified at the time of writing 
and are the subject of ongoing work in the DPRIVE WG". Additional 
specification work might be required to ensure that DoT and DoQ work reliably 
in this context."

I do not support the draft without text that addresses these limitations in 
its normative references.

It would also be helpful to include text that explains the goals behind it 
being parked. An "Implementation Status" section as described by RFC 7942 
could serve that purpose, and it could be expanded as implementations are 
identified.

>       The chairs will note that the document is currently marked as Proposed
> Standard and that there has been a suggestion to move it to Experimental. If
> you have an opinion on the status at this time, please include it in your
> feedback to the WG mailing list. We will revisit the status of the document
> before it gets advanced to our AD.

[SAH] The suggestion was made to align the status of this document with the 
working group's charter:

"Investigate potential solutions for adding confidentiality to DNS exchanges 
involving authoritative servers (Experimental)."

This working group is not currently chartered to develop a standards track 
specification for "adding confidentiality to DNS exchanges involving 
authoritative servers". As such, I support alignment of the draft's intended 
status with the working group's charter (moving it to Experimental) while it's 
parked in the "Waiting for Implementation" state.

Scott

v2.23.0 | Report a Bug | By Email