IETF Logo Mail Archive

Re: [dns-privacy] Call For Adoption: draft-wing-dprive-dnsodtls

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Tue, 26 May 2015 05:32 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E27441A8706 for <dns-privacy@ietfa.amsl.com>; Mon, 25 May 2015 22:32:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHbAUTI0Pnia for <dns-privacy@ietfa.amsl.com>; Mon, 25 May 2015 22:32:54 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22A971A8702 for <dns-privacy@ietf.org>; Mon, 25 May 2015 22:32:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3436; q=dns/txt; s=iport; t=1432618374; x=1433827974; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=0K5vNHo1w0DHQwzrW14B6RkeQIv9ktmJKKrtGSSyNT8=; b=M0GI6ztYw72GDiUAasPZXQB55w6PfIhJV2gP7C1utoGa8F68UsuMBfr4 zxB931oHbDPpWPT4T+IJZUlgdc+cCzAk8+OqXhCR/OU74pAs3JP8zMKx7 nC86jfiLsqt/YwWWMXa7Vn3rQwACbrvJZ1HAOFd4xiLXd+1t7M55iJVfj U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AjBAB3BGRV/4YNJK1TCYMQVF4GwilmCYFPCoV3AoFEOBQBAQEBAQEBgQqEIgEBAQMBAQEBGgoTNBcGAQgRBAEBAQoUCS4LFAkJAQQBEggTiAkIDdJkAQEBAQEBAQEBAQEBAQEBAQEBAQEBEwSLOoQpERo+gxGBFgWTCIQ1iAOOJ4dfI4FmghJvgUaBAQEBAQ
X-IronPort-AV: E=Sophos;i="5.13,495,1427760000"; d="scan'208";a="1737511"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-1.cisco.com with ESMTP; 26 May 2015 05:32:53 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id t4Q5WrMe009954 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 26 May 2015 05:32:53 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.253]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0195.001; Tue, 26 May 2015 00:32:53 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Tim Wicinski <tjw.ietf@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Call For Adoption: draft-wing-dprive-dnsodtls
Thread-Index: AdCXdWavPJRALcG5SgqflPkUfA8HSw==
Date: Tue, 26 May 2015 05:32:52 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A4785DE8B@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.64.50]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/Ntd-gUk7MbEWuBl3rRIJ6nuXv-o>
Subject: Re: [dns-privacy] Call For Adoption: draft-wing-dprive-dnsodtls
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 05:32:56 -0000

> -----Original Message-----
> From: dns-privacy [mailto:dns-privacy-bounces@ietf.org] On Behalf Of Daniel
> Kahn Gillmor
> Sent: Saturday, May 23, 2015 12:12 AM
> To: Tim Wicinski; dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Call For Adoption: draft-wing-dprive-dnsodtls
> 
> On Wed 2015-05-20 10:03:27 -0400, Tim Wicinski wrote:
> > During the previous Call for Adoption a number of participants
> > expressed interest in adopting this work.  WG members felt it needed
> > some improvements, but thought it had potential. The authors addressed
> > the issues and feel it meets what the working group was seeking, and
> > have requested that we initiate a call for adoption.
> >
> > If the working group adopts this document, it only means it wishes to
> > study this solution more carefully.  The working group may still
> > determine to not move forward with it.
> >
> > The draft is available here:
> > https://datatracker.ietf.org/doc/draft-wing-dprive-dnsodtls/
> 
> I support the WG adopting this document for consideration.
> 
> I'm willing to review.
> 
> Looking at -01 of the draft:
> 
>  Section 3.2:
> 
>    Verifying the server certificate based on fingerprint needs to be
>    spelled out more clearly (what exactly is fingerprinted, how it is
>    fingerprinted).  But i don't think we should be fingerprinting the
>    certificate itself at all in this case.  I think we should be
>    fingerprinting the subject's public key.  The folks working on HTTP
>    Public Key Pinning (HPKP) already went through this discussion, and
>    settled on pinning public keys instead of certificates for good
>    reason: in the pinning case, we want to make sure that we're looking
>    at the same public key, not about the identity material wrapped
>    around it in the cert.  (this also allows them to work with
>    oob-pubkeys, as you recommend in section 7)

Agreed, will update the draft.

> 
> 
>  Section 3.3:
> 
>    This section seems to bundle assumptions about DHCP information and
>    system configuration all together ("an implementation will
>    attempt"). I think we should separate those considerations, and make
>    it clearer that this section is not a normative set of guidelines,
>    but rather a description of common behaviors and choices.

Okay, will update that this section is non-normative. 

> 
> Section 7:
> 
>    "amoritized" should be "amortized".  I'm not convinced by the NOT
>    RECOMMENDED in this section. Especially as the root zone expands, it
>    doesn't look all that much different than any other busy
>    authoritative nameserver.  This sort of SHOULD NOT ought to be backed
>    up by hard data, or some sort of operational characteristics (X
>    number of clients, each querying Y times per day, or something), or
>    else it looks like it would apply to all authoritative nameservers.
>    I understand that we want dprive to focus first on the stub->resolver
>    link, but i don't think we should shoot down using DNSSoD on
>    resolver->authoritative links without more consideration.

Yes, will keep it outside the scope and not soot it down.

Cheers,
-Tiru

> 
> Regards,
> 
>         --dkg
> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email