Re: [dns-privacy] AD review of draft-ietf-dprive-xfr-over-tls-08

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Sat, 03 April 2021 06:47 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8FF3A0B56; Fri, 2 Apr 2021 23:47:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=BxF4PuuK; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=YWQ9NbSD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5R1PkZ51_lVM; Fri, 2 Apr 2021 23:47:09 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8809F3A0B54; Fri, 2 Apr 2021 23:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10904; q=dns/txt; s=iport; t=1617432428; x=1618642028; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=u6df/9P5qvBL2Z1XNZ8ZgZlbqxMV43hvrrBkeUL06DY=; b=BxF4PuuK43UISl+UmQ6t0yhEBcDRk30OBmv268TrVS0MPtAINOzXDku/ FAVVu4//cmrcU/CcU9tI63QLxFYYWGsk30Qs/gJ751XB0titzO7r7MFxk XiFh4ZLG5MgidqnnLcq76jkMQ3ulTsjZ8IBsQ6wi2QpuBbXJKwWa5SZO9 8=;
X-IPAS-Result: =?us-ascii?q?A0AcAwBRDmhglxbLJq1agQmDJSMuflo2MYRCg0gDhTmIS?= =?us-ascii?q?gOPJYoSgUKBEQNUCwEBAQ0BASQKBAIEAQGEUAIXgWYmOBMCAwEBAQMCAwEBA?= =?us-ascii?q?QEBBQEBAQIBBgQUAQEBAQEBAQFohSMGJw2GRAEBAQECASMRDAEBNwELBAIBB?= =?us-ascii?q?gIRAwECAQICJgICAjAVCAgCBAoEBYJxAYJVAw4hAY9OkG0Cih93gTKBAYIEA?= =?us-ascii?q?QEGgTMBg2YYghMDBoEPKoJ2hAmGSwc7gUlCgRInHIFbfj6EBhEpgxc1giuBW?= =?us-ascii?q?XEBPSYEGCsQIC8kCB00BxkQBQMOAxFOkQSDAYgZjESRYQqDColfkxUDH4NMi?= =?us-ascii?q?niWKZcih0aCEpIpAigCD4RVAgICAgQFAg4BAQaBayGBW3AVGiEqAYI+IS8XA?= =?us-ascii?q?g6MZYFGDQmDTopZcxoBHQIGAQkBAQMJfIp9gkUBAQ?=
IronPort-PHdr: A9a23:/3LoMRQzpaok3YWqLKsMz6Sd9dpso0vLVj590bIulq5Of6K//p/rI E3Y47B3gUTUWZnAg9pfiuzRv73mH2cH5MXJvHMDdclKUBkIwYUTkhc7CcGIQUv8MLbxbiM8E cgDMT0t/3yyPUVPXsqrYVrUry6p7DgVFgj5cwFyI7e9Fovblc/i0ee09tXaaBlJgzzoZ7R0I V22oAzdu9NQj5FlL/M6ywDCpT1DfOEFrV4=
IronPort-HdrOrdr: A9a23:9e3qDqB//D+OOWjlHei9tceALOonbusQ8zAX/mhLY1h8btGYm8 eynP4SyB/zj3IrVGs9nM2bUZPgfVr1zrQwxYUKJ7+tUE3duGWuJJx/9oeK+VPdMgXE3Kpm2a 9kGpIQNPTZB1J3lNu/xQG+HcopztXvytHWuc715R5WPGZXQotn6Bp0DRveMmAefngHObMSEp 2A6s1b4x+pfnoKZsq2b0N1IdTrjdvNiZ7gfFo6HBYh8gaDlneF77T9Hhie0H4lInBy6J0l9n XIlBG827W7v5iAu17h/kLwz7ATotvuzdNfGNeB4/J0FhzAghulDb4RIIGqkysypIiUmTMXuf nK5ywtJsFir07WF1vF3SfF/ynF/HIQ52T5yVme6EGT4/DRYD4hEcJOicZ4X3LimjAdlepx2q 5KwG6V3qA/ZXir8UiNhKmrazhQmkW5unYkm+II5kYvLLc2UqNbroAU4SpuYfE9NR/684wuHa 1PC8zR9Z9tACunRk3ZpWVmzZiQWG0yFH69MzE/k/GSugIm+ExR/g89/ogyj30A/JUyR91v/O LfKJllk7lIU4s/cb99LP1pe7rzNkX9BTb3dE6CK1XuE68Kf1jXrYTs3bkz7Oa2PLQV0ZoJno jbWl8wjx93R2veTem1mLFb+BHER2uwGR73zNtF2pR/srrgAJ3mLDOEU1Jrt8e7uf0QDon6Vp +ISdVrKs6mCVGrNZdC3gX4VZUXA2IZStcpttEyXE/LrdnMLoHsq+zHYPfeLLfgCl8fKzrCK0 pGeAK2CNRL70itVHO9qgPWQWnRdkv2+o81EKWyxZlK9KE9cql39iQFg1Ww4c+GbRdYtLYtQU d4KLT71qeypWy8+3fU/3xkUyAtVXp90fHFaTdntAUKO0T7ffIooNOEY11f23OBO1t4VMPZEA lWolxt4qKpJ5mMxSQvYujXdF6yvj82njanXp0ckqqM6YPOYZUjFKsrX6R3CEHWDRBvgB1rr2 1CcQcAQUfaGlrV+P+Ypa1RINuaW8h3gQ+tL8IRlGnWsl+Eo9ozAlEBWSS1bMKRiQEyZjZdi1 Fr6ZUDiL6YlTvHExpjvM0IdHl3LEWeGvZvERmMboQ8oMGbRChACUOxwQG8pz52UGzw7EkWjn HmNkSvCIH2K2sYnGtZ3Kbs+E5zbUOHcStLGyxHmLw4M3jasXBu1uLOQay/3wKqGwU/69BYFi 3Zaj0PJQ4r/fSL7Vq+nTaPEmhO/ORwAsXUEKkjf7bP2nmkNY2PkuUcE+VJ+Yt+XeqewNMjTf iSYEucIj/+FooSqn+oj2dgNy9upHY+l/T0nBXj8WijxXY6ReHfOVJ8WtggUp2hxnmhQ/aDy5 Nii90p+eO2L2Xqc9aDoJunJQJrO1fWoWSsSfsvpo0RtaUutKFrF52eVTfTznlI0FE/K8jz/X luDZhT8fTEOoV1edYVdD8c9l01lM6XJE9uqxfoGIYFDBgQpm6eO8nM76vDqLIpDEHErAzsOU OH+ykY+/veRSOM2bMTFqpYGxUYVGEsrHB5uO+SfYzZDwunM/tO+1e3KXexer5QQqrtI8Rakj 9qp9WT2+OHfSvx3w7d+SZhKqVV6mC9XIe8BhmPFeMgya31BX2cxq+xpMi9gzf8RWHlNwAWhY hZeVcRacoGgD84l4Ez2jWzTKuyok9NqSoo3Rh30lr2no6h6yPHGEsDNwvTiJBfRyNSPXiFlt 6ty5nR6F3tpDxenYDeH0JRdMxUE9ceToLrPz5jQPJgyIKA7u4qmGBfex8gAG43lSDl0+5n1b m/3u/OW+eKMwafBXsRvThfBoB1mSQ3qWZPN8imhKjNFzkqKg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,302,1610409600"; d="scan'208";a="34727539"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Apr 2021 06:47:06 +0000
Received: from mail.cisco.com (xbe-rcd-002.cisco.com [173.37.102.17]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 1336l4iS028677 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Sat, 3 Apr 2021 06:47:05 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xbe-rcd-002.cisco.com (173.37.102.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Sat, 3 Apr 2021 01:47:04 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 3 Apr 2021 02:47:03 -0400
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sat, 3 Apr 2021 02:47:02 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RdTOwRF+BW+3JnwP9bo2bST5RGxbt5pyt4MMekCTW+Fisib/dwQRo4IIOpXO5TvDKGvhV/9PMLb5ycaPMk6CTn3t7Vpu6Ud30U/kmRLAEcGSQGDgkgk9vdmD7yCCB75M5cOLY1GPJcNyIs8f13fgG+D34CsAttOB1YcZAxci2h3ordWSlQiDSNDPDl5yAYad6kIsPYiQvtt8uenDzLHuoBDvgG2bocsaPJVJ8k6mHkzsyIIUOXu/QmdU5rQ58Yd1N0fOpV2Ngjqobw4x4t4ubctnFF+/L6SjLDyAtGKd9q6M78viYqeL/I08UFJmGhIWF/L5lCoz0LeujpFs7RK2Sg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u6df/9P5qvBL2Z1XNZ8ZgZlbqxMV43hvrrBkeUL06DY=; b=Vl3S7DcFWedJEVY1m7mQZnaE4I9AN4N6/0oe+qVZqLAX8/hnO0sr4hJdyg/jjg9vFwcY2lXmwqVWsr5Msm2MMP4FClSyinDQT/BeR1kfjpKOkXch52QF/cPdh4bBLTHyauDd7ncW4fMfdI3mz4KRblqnqBTnDAxBAq7el4qlfayQ94rJr/7eNQTK7iwpBZT4DAnHgDdEjVv/5ND+vIFx4GhUtdXXKMhLQ7ysePVRTUz8AvKgbw7HpqtS83Luo436JnOeZB+5s1r94MhGKQ5tmkKd89eZlO6lT1M/IGMVhYmJPTlrFP2rbnj+LJDfcPh1JOP+yfmM1zwWc5qlx2t1SA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u6df/9P5qvBL2Z1XNZ8ZgZlbqxMV43hvrrBkeUL06DY=; b=YWQ9NbSDFiX4+tDEJXfbAdxQ0r192AMeByOMY76DSliqWk3T2I30vUqgbg0e53dip6tXSk7TwcClYlyDSEKRQnW0Igy9ASqCiOtyvZrdpkxCcYFufZ0J0tNFdIsOdqmKvQmxpilufEE+BrEAakXH5oQN9DixNyF8vljjUHHAjLM=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB5111.namprd11.prod.outlook.com (2603:10b6:510:3c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.29; Sat, 3 Apr 2021 06:47:02 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::dcdf:3910:b85d:6eba]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::dcdf:3910:b85d:6eba%7]) with mapi id 15.20.3999.032; Sat, 3 Apr 2021 06:47:02 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Sara Dickinson <sara@sinodun.com>
CC: "draft-ietf-dprive-xfr-over-tls@ietf.org" <draft-ietf-dprive-xfr-over-tls@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: AD review of draft-ietf-dprive-xfr-over-tls-08
Thread-Index: AQHXHAwUM9FOiyyBSECEkBBlaJXfA6qbAPcAgAeSxIA=
Date: Sat, 3 Apr 2021 06:47:01 +0000
Message-ID: <BBC267EF-7FAC-4A8F-BA07-3CC27073EC0C@cisco.com>
References: <743E167C-3449-49A9-81F9-48CE5E98846C@cisco.com> <29BBFB1A-E849-483D-83FB-0C4D5DC306BE@sinodun.com>
In-Reply-To: <29BBFB1A-E849-483D-83FB-0C4D5DC306BE@sinodun.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: sinodun.com; dkim=none (message not signed) header.d=none;sinodun.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:ad25:1cc2:b21d:f9ed]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5181641d-4d69-47e5-0404-08d8f66c4955
x-ms-traffictypediagnostic: PH0PR11MB5111:
x-microsoft-antispam-prvs: <PH0PR11MB511125325B72FA43E459DECCA9799@PH0PR11MB5111.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: O8PmUIqaDK26PDg/UdQbFTK7Ne30ta/aGKgIJCFqw360iY6/mJGiJ2R/eR4N8k3ZrodielQ7Mvnqmf+ENrN0pzR4XzQ5ZaKG51hH4j3m68IrQgdEzJ70bVrviAHa8V0WoK4bBQ4fI8YpfgFF01CIvYvXah9uNHuhCk6SApAYqLK9w/7lFbw5OpegG0WcaNDv1Y/rVXtywGCqg0C/9J1BzDmaDnWze1svq7a5m2pEiqObwM1S1gqTYm4K45YBB55W3XwuTvPlAHcL/3L76OC2aOC6DxdG26wDSh5SJw42sqSxX1bcBdx9gBg6vNUbgFzE+XO7iKitb8LfldTR4E1/sA+w0aFpIBKKVamc7VTWL0Jm1/u5DmNN0j2lHb1cIowb/mvPcMgctYEH8+9vUkRIySc9Jz62ZC/s9pPFX58TVsnyaMSrx016WKOnXEbgT4Dob9czVOKH9/DkdHGx6LwsgBKlgmxep2VFCuFop0kqmCq2HCqAMbOfqY2HKnW+y0zzHmF9iA4sV9b4i3G2+81sRfJGmCSFMB/zg3kS2KU+A1phEmCZy5+LekOt+a5smnRwC3YG1iEILtOoLV56w0nrGOVDeohdnkUIEG29/agiSDUEF3xRGmrKMWmy8/e0EXs7t7Lrk0lgFMfobMWeX50btuMSJtAyROmSyzWEQXktocrh8jAqarPdU3JTXVw4Kdi0C/ciOdf9fvhmbFSG1Sq2hr4M5eth82vP83stJX21OVt6nkyUlzoBP0ODGQtOE1JZmn66XLsomsLX0SZiOYdxlw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(396003)(346002)(136003)(376002)(39860400002)(2906002)(71200400001)(54906003)(76116006)(8936002)(91956017)(66946007)(64756008)(6486002)(2616005)(478600001)(33656002)(186003)(4326008)(966005)(6512007)(316002)(38100700001)(83380400001)(8676002)(5660300002)(6916009)(36756003)(53546011)(66556008)(86362001)(6506007)(66446008)(66476007)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?T21aNFZISUJ2eVlKRGhuaENkWGlldFp3R3MvZmFCSW51UHVZam1HbkRVOFVP?= =?utf-8?B?R1pDTzR0N0RZWlFlMytJZmFYaEtiU01qeWJXN2F1VldQMEFTeklPdXBTb1R2?= =?utf-8?B?UXZYYWI0c3hSOW9PLyt4Tit1a3RSQVp0VDkxMVc4NlJtSVdESWNsNkdYWW4z?= =?utf-8?B?cEFFUkM4Q0lHcjlENGFuRUZrbjV3YzZOWWpoY2V2T3VDN2J6ZXk5bDhIM29I?= =?utf-8?B?dDF4NDVyMU5nNjl4YUtSeld6NmFmS0QraE91YzRHWFA2YXk4bzZTU1VFOG92?= =?utf-8?B?NXg5ZEVtM0lQNVdaZnBMeDhRZzlDUi83ejR3RENRcTVwZ1BOdGkrcTduaGlj?= =?utf-8?B?Ty8wWkZaZy9iUHRTclErQW5qdGVqVzQxMzRNMG02bncvdi9KczcvR09nTkRY?= =?utf-8?B?UEEvYnVJM09MeGhLd0dlNWpHY3dYaVdLeC9wYnM1SFhIdGRiR01XRzZ1dVFN?= =?utf-8?B?OTJVMjB3MHlDak15Ung5RXBXZXhrTHVwMnRHS1FTSHBuUkE0RGIzTFVRK1Vn?= =?utf-8?B?ZlFJd3pCM2pwaDBrbktqM21mUWJCc3QzSUhmczVxKzQ5ZTVoVEkyTFNvTGpk?= =?utf-8?B?MVpTNE1MSGh4MHJ4cm5wL3I3RllQY0FWZGpDUUxLLytWeFlVS0swcjVSYytI?= =?utf-8?B?U3BlTzRXckkzeVhIYVJtY2lIN0FFWitoemVHNXprVmNEdmdBSzBDa1A5WDZS?= =?utf-8?B?a0FjN2w1Vkwyc0FiMU0yWXNScFByeGdnWGxnRHR3c0tJTjZrQ245ZUJIUGxx?= =?utf-8?B?VGlIQkdGenlHY2NQbFBTb2tBT00vZkczNUlkQVhGQ2dOWURtcG4wdTdxWWdV?= =?utf-8?B?eVVVa0ZzUkwrd3dtV0NmVW5kOXhMWk4vNGpRREozQ3F2NThmS25PcUt5Q2Jz?= =?utf-8?B?b0tueWZIUkNoVUpvTm5nWmkwR3hjbVJ1elN6VlF1eGt6alVQc2QrLzNsNktD?= =?utf-8?B?bkpiRklzWHZQdVFpb1dneFZoaG4zZldYczVEeGlidlNsTk51NUpZVm9XNDhk?= =?utf-8?B?RWJNbzBpSUxqN3NGQld3WlVRYThhZmhYcjFmWlF4SkJLTkU3Ny9LYzZsZ254?= =?utf-8?B?RkJDNGxjTStSUURHNlQ0UUpVZFdXT3Y0cXUwT1p2VFlLYkYrRGZ5UGJZbkM1?= =?utf-8?B?Ui9RZzRPWDFQMzJ1ZE5lVGVnUDB2eUZPaXpzU2ZyOXRxMEltYlpqTSt6cWtu?= =?utf-8?B?R0hiM2ZMVXNrb2JocllYczBka1NQajZHWWR6ejl4U2c1Lzk5Sjh2ZFhIYXFu?= =?utf-8?B?cUlsMFRPdzhPbncvTUFaMTRrdCtESlpSQ21WbGZlSWl0QTkzQ2g2NXZtc3Zr?= =?utf-8?B?Q1k5Q041TmhLNnplaEZVSXQxNnVWUlVTaEpPYUpycERXTS9adVJsbUF4aDRS?= =?utf-8?B?VlVsYWFXaVdMOVF0TERhcWN0am5LWEx5Tm9FQUpWZ3U3Y1FnVDR3QjFsV1lh?= =?utf-8?B?bW9oMWtmZUl1cDhOckJiL1hpNkhGNHppSUl6QmhsOVlGRTNpS1dOYkZkaHI2?= =?utf-8?B?aFZ1dnhEd2JBZlk2d2UrdUV2bnpHS1RzbEU3WkRFcWtPNXMvRWV1c1FwZGsx?= =?utf-8?B?aHN4TnB0U2hxSWlWMjd2SjFWWGRJTGc0dHZtdHB1NTRETmhwN2I4aVZsNEFJ?= =?utf-8?B?S1VtVWFHZUF2eDF6ejlUM3hiclYxT0tNZkt1YUNyVlVLbmFaU0FaMmdIWThT?= =?utf-8?B?N1dTaXZHYllqZ0pnQ053YnRmVjNDV3JUWHhJN0JaM1B3OWxUSElLS2VMLzNz?= =?utf-8?B?TC9UQ1hNcHpudTZyMFE1d2w0bUN2alZrU0xiVmtoL3FFUGc0eGlPUUlLYmY5?= =?utf-8?B?SEcybHN1ZG1ob1I4U1k1V3UvaDRreFBtRUkvUlJxSnJDRk10c1V5VVoyTUFv?= =?utf-8?Q?+58QznZTLKmI3?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C5ED2E9F380AAF42AD6C1E67889F217D@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5181641d-4d69-47e5-0404-08d8f66c4955
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2021 06:47:01.9198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: G7S/MO4+3HYaCrG7h4qnuVbOP/BsAwm+m3JNbZ6Mw9eHKu68NkUb817qd4Xr8alYbhEMP7mZzfkWZswM8TBRFA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5111
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xbe-rcd-002.cisco.com
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/OamslLK6d_yR0blxT9nFDQqqEKo>
Subject: Re: [dns-privacy] AD review of draft-ietf-dprive-xfr-over-tls-08
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Apr 2021 06:47:15 -0000

Sara

Sorry for belated reply, I took a couple of days off.

Thank you for your detailed reply and actions. I am happy with all proposed changes; for a couple of remaining points, please look below for EV>

As soon as a revised I-D is uploaded, then I am initiating the IETF Last Call.

Regards

-éric

-----Original Message-----
From: Sara Dickinson <sara@sinodun.com>
Date: Monday, 29 March 2021 at 15:08
To: Eric Vyncke <evyncke@cisco.com>
Cc: "draft-ietf-dprive-xfr-over-tls@ietf.org" <draft-ietf-dprive-xfr-over-tls@ietf.org>rg>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: AD review of draft-ietf-dprive-xfr-over-tls-08



    > On 18 Mar 2021, at 15:33, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
    > 
    > Dear authors,
    > 
    > Thank you (and extended thanks to the WG) for this document.
    > 
    > Please find below my AD review of -08 revision of the document. Before proceeding with the publication process, I will appreciate replies about the points below (and possibly a revised I-D).

    Many thanks for the review!

    > 
    > - Section 1: please replace the reference to RFC7626 with the 7626bis document, which is already in the RFC editor queue

    Done. 

    > - Section 1: does the use of legacy RFC 7626 rather than the bis impact the rest of the section ?

    Not in terms of XFR - the bis makes no updates to the discussion of XFR handling.

    But your comment on this paragraph prompted me to remove the reference to the draft-vandijk-dprive-ds-dot-signal-and-pin as the discussion in DPRIVE has moved on significantly from when that was first published. I suggest changing the text to:

    “and some suggestions for how signaling of DoT support by authoritatives might work."

    > - Section 1: “Some operators use SSH tunneling or IPSec to encrypt the  transfer data” is this assertation backed by some public references ?

    I can’t find any good references for specific deployments even though it is a know technique, but the NIST guide referenced in the next paragraph does also mention it as an option. I propose to remove that specific sentence and update the following paragraph:

    “Section 8 of the NIST guide on 'Secure Domain Name System (DNS) Deployment'
    [@nist-guide] discusses restricting access for zone transfers using ACLs and
    TSIG in more detail. It also discusses the possibility that specific deployments
    might choose to use a lower level network layer to protect zone transfers, e.g., IPSec."

    > - Section 1: did you consider adding something about reconnaissance ? I.e., network scanning of an IPv6 prefix is basically impossible but having access to a DNS zone and its AAAA RR makes the reconnaissance trivial

    Not really, as I think the main concern with zone enumeration has largely been the exposure of the names rather than the IP addresses, but it is a good point. We could add the following text after the bullet points.

    “Additionally, the full zone contents expose all the IP addresses of endpoints held in the DNS records which can make reconnaissance trivial, particularly for IPv6 addresses."


    > - Section 4.1: from a logical flow perspective, I would have started with the threat model first, then the confidentiality/authentication/ parts

    Thanks - that makes more sense. I have changed section 4.1 into section 4 (threat model) and changed the use cases to be section 5 (but also see next answer). 


    > - Section 4: I find the logic of the ‘performance’ point weird because it is not really generated by the document but rather by an upgrade. I suggest to rewrite this part.

    I think a better title for that section would be something like ‘Design considerations for XoT’ which might better describe what is being listed there? 

EV> good suggestion

    > - Some nits usually ‘e.g.’ is surrounded by commas

    Fixed

    > - BTW, while I appreciate the trend to replace master by primary, may I suggest to clarify in the terminology section that ‘primary’ means ‘master’ and ‘secondary’ means ‘slave’ ? Up to you as it is a touchy topic but making the linked with the legacy document seems important to me. Really up to the authors.

    Suggest moving the text on this to be a sub note to the RFC8499 reference which already deals with the legacy terms:

    “DNS terminology is as described in [@!RFC8499]. Note that as in [@!RFC8499], the
    terms 'primary' and 'secondary' are used for two servers engaged in zone transfers."

    > - Section 5.2 last § missing a closing ‘)’
    > - Section 5.3.2 please qualify “lag” (I guess serial numbers)
    > - Section 6, unsure whether “(probably unintentional)" add any value, consider to remove ?

    All fixed.

    > - Section 6.4, "one DoH connection" even with the "could hypothetically include" appears a little weird to me

    The full list of multiple transports was added after a discussion in the WG to clarify the issue. We did think about using DNS-over-QUIC instead, but using a standardised protocol seemed better….

EV> understood

    > - Section 7, consider expanding the XoT in the section title ? It looks weird in the ToC
    > - section 7.6, perhaps also expand XoT and ADoT in the section title

    I tried to use acronyms everywhere after the terminology section where they are defined as I believe the RFC editor tends to ask this? So I’ve actually fixed up a couple of places where that wasn’t true… If you think this is a real readability issue for the section headings then we can change them (I’ve used XoT long enough not to think so!)

EV> hmm, the ToC is before the terminology section though ;-) But, let's see what the RFC editor will say.

    > - section 7.6, §2 "short term,S.S. with regard" typo in S.S. 

    fixed

    > - section 8, long RTTs are mentioned as a reason to change of preferred primary, but, RTT is only one part of the TCP throughput. Should this be elaborated further ?

    From my limited knowledge of existing algorithms I believe only the query/response RTT is used (the handshake is not measured), so I’ll clarify that.


    > - section 8, in " 'parallel primary connection' model" should this be "models” ?

    No, in this and the previous paragraph we are comparing two different models (unless I missed your point).

    > - section 9.3.1 " MitM" is not defined and current trend is to replace it with "on path active attacker" (really up to the authors as I do mind)
    > - section 9.3.3. nits in " client can authentic the”

    Fixed. 

    > - section 9 and 10, I wonder why section 9 (mechanisms) is not a sub-section of section 10 (I do not really mind though)

    9 is the outline of all the possible mechanisms for XFR/XoT, 10 is the specifics of what XoT requires. 

    > - section 11, should there be a "then" in " if AXFRs use AXoT all IXFRs MUST use IXoT” ?

    fixed

    > - section 12, the text talks about implementations but I wonder whether the section title should rather be on operations 

    The first two paragraphs are meant as specific notes to implementors, the second 2 are more operations though… I have split them out into a separate sections.

    > - section 15, should there be a discussion on using simple IP ACL as authentication ? IP spoofing exists ;)

    Do you mean specifically TCP IP address spoofing for TLS connections? Do you know of a good reference which would be suitable here?

EV> indeed the secondary IP address could be spoofed. Alas, no real reference available but I would expect a comment from SEC dir or our SEC ADs on this part.


    A diff to the -08 version with the suggested updates (and a couple more typos fixed) for you to review is here:
    https://tinyurl.com/329f65yj


    Best regards

    Sara.