Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dprive-unilateral-probing-11.txt
Florian Obser <florian+ietf@narrans.de> Tue, 08 August 2023 18:55 UTC
Return-Path: <florian+ietf@narrans.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E79B6C152567 for <dns-privacy@ietfa.amsl.com>; Tue, 8 Aug 2023 11:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcM8RyIApnnH for <dns-privacy@ietfa.amsl.com>; Tue, 8 Aug 2023 11:55:46 -0700 (PDT)
Received: from imap.narrans.de (michelangelo.narrans.de [IPv6:2001:19f0:6c01:821:5400:1ff:fe33:a36d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07D5CC1522D3 for <dns-privacy@ietf.org>; Tue, 8 Aug 2023 11:55:45 -0700 (PDT)
Received: from pinkunicorn (2001-1c00-270d-e800-945d-d130-d60c-4116.cable.dynamic.v6.ziggo.nl [2001:1c00:270d:e800:945d:d130:d60c:4116]) by michelangelo.narrans.de (OpenSMTPD) with ESMTPSA id 132acfc6 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 8 Aug 2023 20:55:43 +0200 (CEST)
From: Florian Obser <florian+ietf@narrans.de>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <2D1304D5-35E0-4D5B-9B4C-EE08E47A88F9@icann.org> (Paul Hoffman's message of "Tue, 8 Aug 2023 18:41:32 +0000")
References: <169151485727.52839.10580373736526971224@ietfa.amsl.com> <m1msz1tmnb.fsf@narrans.de> <2D1304D5-35E0-4D5B-9B4C-EE08E47A88F9@icann.org>
Date: Tue, 08 Aug 2023 20:55:42 +0200
Message-ID: <m1il9ptlch.fsf@narrans.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/OJZhK4JG5ZQFuN-19yKzjgnBrIs>
Subject: Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dprive-unilateral-probing-11.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2023 18:55:48 -0000
On 2023-08-08 18:41 UTC, Paul Hoffman <paul.hoffman@icann.org> wrote: > On Aug 8, 2023, at 11:27 AM, Florian Obser <florian+ietf@narrans.de> wrote: >> >> This introduced at least a nit > > Yipes, very good points. > >> >> For example, consider an authoritative server named ns0.example.com >> that is served by two installations (with two A records), one at >> 192.0.2.7 that follows this guidance, and one at 2001:db8::8 that is >> a legacy (cleartext port 53-only) deployment. >> >> It doesn't have two A records. It has an A and AAAA record. > > Errr, yup! > >> I know >> that Éric asked for a non-legacy IP example, > > ...and he's our AD... > >> but I don't think this makes >> things better. I find it very confusing, usually the server would be >> dual stacked so why would it do different things depending on the >> address family? Maybe just go v6 only, thusly? >> >> For example, consider an authoritative server named ns0.example.com >> that is served by two installations (with two AAAA records), one at >> 2001:db8::7 that follows this guidance, and one at 2001:db8::8 that is >> a legacy (cleartext port 53-only) deployment. A recursive client who >> associates state with the NS name and reaches 2001:db8::7 first will > > It is that uncommon for a name server to have one A record and one > AAAA record? I'd rather not go all-IPv6 because some readers might > think that the discussion is for v6-only systems. If possible, I'd yes, I think so, too. > rather just say "(with one A record and one AAAA record)". That's what I was thinking at first, too. However, if you have a nameserver with one A record and one AAAA record the nameserver is usually dualstacked, so why would it do DoE+Do53 on IPv4 and only Do53 on IPv6? Other than it being misconfigured. So I'm worried that a reader will focus on: Hey, that's just a dumb configuration and not notice that there are subtleties when there are multiple servers involved. If you only have one address family that's more clear. (Your text kinda hints at there being two servers, but it's very easy to overlook.) > > --Paul Hoffman > > -- In my defence, I have been left unsupervised.
- [dns-privacy] I-D Action: draft-ietf-dprive-unila… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Florian Obser
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Florian Obser