Re: [dns-privacy] I-D Action: draft-ietf-dprive-phase2-requirements-01.txt
Benno Overeinder <benno@NLnetLabs.nl> Wed, 28 October 2020 22:37 UTC
Return-Path: <benno@NLnetLabs.nl>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E1583A0989 for <dns-privacy@ietfa.amsl.com>; Wed, 28 Oct 2020 15:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8K3NtIQBLFLF for <dns-privacy@ietfa.amsl.com>; Wed, 28 Oct 2020 15:37:18 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A3A3A09AD for <dns-privacy@ietf.org>; Wed, 28 Oct 2020 15:37:18 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 2118B60291; Wed, 28 Oct 2020 22:37:16 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1603924635; bh=JCVnHyTcgfKa3XHhKFAiSvXAIW6svovbYc0PceALcVo=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=W+Q/wbJy6SeLul2IpYWIQQRSX4l6k1U1DkaHoUcbpf3dj1liwIAtuwBQfjhorypVG 5P+Rt2OXlHow6TjcwfJ9mQJ+vUC3nUV/I3+JXmmg8sjzRBuN37RSxSYNVGdoh2qt+W 9BfbkEX68Iks/ta2l8rYUSeysg/dtyupqT+/wRkmcS0vmSF4D7bjU0aJkdB3+NHPhl 6GAI6RzVjIRr5QmaQuHtXn/VlcQ6sattwrJ6s4lJv6Mg7M3es+Ey/+T7PzqtTQOtsm 3iRTUU1j4IMC/BNF3VECAE7h4HLNzwIQinXCH7A1jqFhX8oMrD7J4ZAkRcQ2mPdJvm c978Qvnz5iigw==
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Cc: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
References: <159234366460.2400.12637173675987685004@ietfa.amsl.com> <ea861403-19c8-d7a8-e6bd-e3485c37164e@NLnetLabs.nl> <B12982BA-3D00-46BD-AA2E-80C8CE45DDD6@verisign.com>
From: Benno Overeinder <benno@NLnetLabs.nl>
Message-ID: <50262a2e-91bb-6bb8-b19a-90eba73d7454@NLnetLabs.nl>
Date: Wed, 28 Oct 2020 23:37:13 +0100
MIME-Version: 1.0
In-Reply-To: <B12982BA-3D00-46BD-AA2E-80C8CE45DDD6@verisign.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/UytzDuKDkRs8vy4B-Nq5ffpC6bs>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-phase2-requirements-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 22:37:22 -0000
Hi Duane, Thank you for your feedback on the draft. For the changes we have already made, I'd like to refer you and the WG to the GitHub version https://github.com/alex-nicat/ietf-dprive-phase2-requirements/blob/master/draft-ietf-dprive-phase2-requirements.md On 22/06/2020 21:36, Wessels, Duane wrote: >> 5. Requirements >> >> The requirements of different interested stakeholders are outlined >> below. >> > > Perhaps this is obvious others, but I would like to see a better explanation of exactly what kind of requirements these are meant to be. Are they implementation or protocol requirements (versus operational requirements)? Or requirements of some other type? Indeed, these were not clearly defined. I think with the current version on GitHub it is better defined what protocol and implementation is, and what are the options of an operator to support DNS privacy with the authoritative. > Also, I'm struggling a little bit with "interested stakeholders" above. I don't think these are requirements *on* stakeholders. Maybe it would be better to say something like "[protocol] requirements of different elements are outlined below."? Thank you for the suggestion. > >> 5.1. Mandatory Requirements >> >> 1. Each implementing party should be able to independently take >> incremental steps to meet requirements without the need for >> close coordination (e.g. loosely coupled) > > If that is a requirement then MUST/must instead of "should"? Correct. >> 2. Use a secure transport protocol between a recursive resolver and >> authoritative servers >> >> 3. Use a secure transport protocol between a recursive resolver and >> TLD servers >> >> 4. Use a secure transport protocol between a recursive resolver and >> the root servers > > These were worded a differently in an earlier version. The following text is from draft-lmo-dprive-phase2-requirements-01: > > >> 2. Implement DoT between a recursive resolver and single level domain >> authoritative servers (high risk, high priority) >> >> 3. Implement DNS privacy protections between a recursive resolver and >> TLD servers (low risk, low priority) >> >> 4. Implement DNS privacy protections between a recursive resolver and >> the root servers (low risk, low priority) > > > I get why DoT was changed in #2, but why was "DNS privacy protections" changed to "a secure transport protocol"? Why were the risk and priority classifications removed? This was after WG input last year, before the document became a -00 WG draft. I have to go back to our notes how the comments were phrased during the WG session. See also commits af63fc4 and 0a9f30e on GitHub (https://github.com/alex-nicat/ietf-dprive-phase2-requirements/commits/master/draft-ietf-dprive-phase2-requirements.md). > Also, I'm not sure how these are requirements as written (e.g., they lack RFC 2119 key words). And, on whom or what are these requirements placed upon? > > >> 5. The secure transport MUST only be established when referential >> integrity can be verified, MUST NOT have circular dependencies, >> and MUST be easily analyzed for diagnostic purposes. >> > > > I think the "MUST NOT have circular dependencies" requirement should be further explored (i.e., more text). Since item 9 below says that specification of preferences must occur using DNS only, is that itself a circular dependency? > > Also, could more be said about the "easily analyzed" part? "easily" might be subjective, unless there is to be some way to quantify this requirement? Correct, I think this text still reflects (too) closely the WG discussion and should be formulated more strictly. >> 6. Use a secure transport protocol or other DNS privacy protections >> in a manner that enables operators to perform appropriate >> performance and security monitoring, conduct relevant research, >> etc. > > Again, not sure how this is a requirement or for whom it is a requirement. Does it mean something like "use of secure transport protocols MUST NOT prevent operators [of xxx] from performing appropriate performance and security monitoring, conducting research, etc."? Indeed. Maybe you can look at the current formulation on GitHub. I will submit a new version before the submission deadline Monday, 2 November. >> 7. The authoritative domain owner or their administrator MUST have >> the option to specify their secure transport preferences (e.g. >> what specific protocols are supported). This SHALL include a >> method to publish a list of secure transport protocols (e.g. >> DoH, DoT and other future protocols not yet developed). In >> addition this SHALL include whether a secure transport protocol >> MUST always be used (non-downgradable) or whether a secure >> transport protocol MAY be used on an opportunistic (not strict) >> basis. >> >> 8. The authoritative domain owner or their administrator MUST have >> the option to vary their preferences on an authoritative >> nameserver to nameserver basis, due to the fact that >> administration of a particular DNS zone may be delegated to >> multiple parties (such as several CDNs), each of which may have >> different technical capabilities. > > Including that some servers for a domain may use secure transport and others may not? > > It is common for a given name server to be authoritative for multiple zones. Should this document state that a name server can provide secure transport for one zone but not another? Correct, thanks. > >> 9. The specification of secure transport preferences MUST be >> performed using the DNS and MUST NOT depend on non-DNS >> protocols. >> >> 10. For the secure transport, TLS 1.3 (or later versions) MUST be >> supported and downgrades from TLS 1.3 to prior versions MUST not >> occur. >> > > It seems like #10 should be qualified with something like "For TLS-based transports..." since there might be some future secure transport that is not based on TLS? Correct. >> 5.2. Optional Requirements >> > > Optional Requirements is perhaps an oxymoron? Maybe "Recommendations" of some kind? Changed to Optional Features. >> 1. QNAME minimisation SHOULD be implemented in all steps of >> recursion >> >> 2. DNSSEC validation SHOULD be performed >> >> 3. If an authoritative domain owner or their administrator indicates >> that (1) multiple secure transport protocols are available or >> that (2) a secure transport and insecure transport are available, >> then per the recommendations in [RFC8305] (aka Happy Eyeballs) a >> recursive server SHOULD initiate concurrent connections to >> available protocols. Consistent with Section 2 of [RFC8305] this >> would be: (1) Initiation of asynchronous DNS queries to determine >> what transport protocols are supported, (2) Sorting of resolved >> destination transport protocols, (3) Initiation of asynchronous >> connection attempts, and (4) Establishment of one connection, >> which cancels all other attempts. >> > > To me this item about happy eyeballs feels out of place in this document, and I worry that we are not fully aware of the amplification effects that can occur from multiple layers of happy eyeballs. > > For example, user clicks on www.example.com URL. Happy eyeballs browser looks up both A and AAAA records (maybe more with new stuff like HTTPS & SVCB). Happy eyeballs recursive sends queries to both IPv4 and IPv6 addresses of name server. That’s 2x2=4 queries for the single click. Now add secure transport happy eyeballs and it becomes 2x2xN for however many secure transports are given. IMO this needs further study and discussion before recommending it. We changed this section also with feedback/text from others. Thank you for your valuable feedback. Best, -- Benno
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Benno Overeinder
- [dns-privacy] I-D Action: draft-ietf-dprive-phase… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Benno Overeinder
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Wessels, Duane