Re: [dns-privacy] [DNSOP] [core] WGA call for draft-lenders-dns-over-coap

Ben Schwartz <> Tue, 06 September 2022 15:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 74F30C147920 for <>; Tue, 6 Sep 2022 08:06:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -22.606
X-Spam-Status: No, score=-22.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id onSufOMB1-oP for <>; Tue, 6 Sep 2022 08:06:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id A31A3C1533B5 for <>; Tue, 6 Sep 2022 08:06:56 -0700 (PDT)
Received: by with SMTP id c9so17280512ybf.5 for <>; Tue, 06 Sep 2022 08:06:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=Im6r82h6WC75Sh56AqZsOhmbqGZL2882vGTdig5SviI=; b=HOSw/OvX56lFruA/Sj8suhJjspSWD/IRmUquOyQpw/vc5uewpcXvvhd/tV9It5xL9q udZ5c0sLq2xcYnHv5UT3CMf6XkXhuM2UAIwv5H1OzSUudq1YbeUMOezHF2F2Pt5mOlK7 74IPzX1nKi1B49GctfLVyCQbMHDnwIbLdOX7UM8xP6HzLwsng2G9KPpiaxhOacMCJmI9 GVrKeAy2jeofflw9AxX8WO0xyeIfApOlMP7IK1guSh7TkW4nuC+0VDq23UNitUkIcRdD amOeBZ8/zYqf9OYXZ+nteWUEpwaeP+dKY3hxrFw6K06uEJI81Gbr9IdYctEqUkO0+NpY hgPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=Im6r82h6WC75Sh56AqZsOhmbqGZL2882vGTdig5SviI=; b=oXMhHrgCVOSnN+F62ujPB8SU5yydTGhnnWYTgmS1m8300+buiYjlApSZD+NlEufv+w dNEV6c8hNwKpJjkA3xe0YHNKJiVCbjt16t8KDgpIoBp58nNtgVDIrwZxKcJxvV3tqviw hLQqImqWuZUrwonlzb1ZPCrTvApS56SoC17SNzkBqN5KPFMFqm0iuq4Psz3xw8qI+Woo WVktY1Zj40Zq0vXT7KkhJ82iH1kA5mzFAxpP4oZJNb1QKCe3MZfi00GxWNhZiTvbtXhZ vkdh25HNS6mtVYBDG0wKYk9Pct88t99ZkrDKxlrI4D0mDr6XGZUM96ughaADLbaZx5A2 nAdA==
X-Gm-Message-State: ACgBeo34ULlsN3OXhsj5x7h/Y0cxye/UHvZo4/61PqIEFY8e2BmcKfW3 r7mlDIdeAsenL9UdK1Lpbm+stzDXXWInYBLHCd9Ygw==
X-Google-Smtp-Source: AA6agR4wruUscp0EPW0/K6Lw0rYZN2IZG2vq0GPwF7tWzpRkkFkDG4M30HpuUsNUDGI/FfAUS3y23KtH5ZT1VDHGX1M=
X-Received: by 2002:a25:9bc4:0:b0:699:c891:a71a with SMTP id w4-20020a259bc4000000b00699c891a71amr32745501ybo.228.1662476815161; Tue, 06 Sep 2022 08:06:55 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Tue, 6 Sep 2022 11:06:43 -0400
Message-ID: <>
To: =?UTF-8?Q?Jaime_Jim=C3=A9nez?= <>
Cc:, DNS Privacy Working Group <>, dnsop <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="00000000000011a51105e8038cb2"
Archived-At: <>
Subject: Re: [dns-privacy] [DNSOP] [core] WGA call for draft-lenders-dns-over-coap
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Sep 2022 15:06:57 -0000

Some further notes on this draft.

Section 5.1 says that a DoC server "SHOULD" follow CNAMEs.  This is a
misunderstanding of the nature of DNS transports.  DoC is a DNS transport,
like DoT and DoH.  The choice of transport is independent of the DNS
server's answering behavior, which must not be modified by the transport.
Indeed, DPRIVE is now chartered to enable the use of alternate transports
for recursive-to-authoritative queries for which CNAME following has
entirely different rules.  This is possible precisely because the choice of
transport does not alter the logical DNS contents.

Section 5.1 also proposes that the population of the Additional section
might follow different logic when using DoC.

Modifying the logical DNS behavior would create a wide range of exciting
and unpredictable compatibility issues when trying to use a new transport.
I urge the authors to delete Section 5.1, which would resolve this
problem.  The draft could instead note that the DNS queries and responses
are not modified when using DoC, except under private arrangement between
the client and server.

On Fri, Sep 2, 2022 at 12:20 PM Jaime Jiménez <> wrote:

> Dear CoRE WG,
> Thanks to the authors and the reviewers that provided comments on the list
> for this draft. Given the in-room support and the list discussion during
> the WGA the chairs believe that there is sufficient support for the
> adoption of this document in CoRE.
> The authors are advised to resubmit the draft-core-dns-over-coap and to
> set up a document repo under the CoRE Github organization at
> BR,
> Jaime Jiménez on behalf of the CoRE chairs.
> On 15.8.2022 11.26, Jaime Jiménez wrote:
> Dear CoRE WG,
> We would like to start the call for adoption on draft-lenders-dns-over-coap.
> The draft defines a protocol for sending DNS messages over secure CoAP (DTLS and/or OSCORE). The draft was discussed during IETF114 and on IETF113 and was well-received by the group.
> During the last IETF meeting there were no objections for adoption so we confirm this now on the mailing list. Please let us know if you support adopting this draft. As many people will still be on vacation, we the WGA call will last a couple of weeks, ending the *1st of September*.
> Note that DNSOP and DPRIVE are in the loop as the draft is relevant for their working groups too.
> BR,
> --
> Jaime Jiménez
> _______________________________________________
> core mailing listcore@ietf.org
> --
> Jaime Jiménez
> _______________________________________________
> DNSOP mailing list