IETF Logo Mail Archive

Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing

Paul Hoffman <paul.hoffman@icann.org> Wed, 22 March 2023 21:16 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC7FC14CE3B for <dns-privacy@ietfa.amsl.com>; Wed, 22 Mar 2023 14:16:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYSYTxw80NfA for <dns-privacy@ietfa.amsl.com>; Wed, 22 Mar 2023 14:16:59 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF6CC14CF1B for <dns-privacy@ietf.org>; Wed, 22 Mar 2023 14:16:59 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa4.dc.icann.org (8.17.1.19/8.17.1.19) with ESMTPS id 32MLGvwt012575 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Wed, 22 Mar 2023 21:16:57 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Wed, 22 Mar 2023 14:16:55 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.1118.025; Wed, 22 Mar 2023 14:16:55 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [Ext] [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
Thread-Index: AQHZXQOhEi/Es8klnk2eAuk9kXfpag==
Date: Wed, 22 Mar 2023 21:16:55 +0000
Message-ID: <9D5FD078-E43D-4048-8D53-F8526DD8C174@icann.org>
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> <D457FEE0-7848-45C4-A9B5-831347023091@verisign.com>
In-Reply-To: <D457FEE0-7848-45C4-A9B5-831347023091@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <547F23D509A72149A2EEFEF3B4C5A6EC@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-22_18,2023-03-22_01,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Zb3pqrQG055ghmNuC40JaUanUfQ>
Subject: Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 21:16:59 -0000

On Mar 22, 2023, at 12:39 PM, Wessels, Duane <dwessels=40verisign.com@dmarc.ietf.org> wrote:
> My primary concern with this draft is that, as written, it could
> be interpreted as a requirement for DNS providers that operate
> under contracts that use language such as "shall comply with relevant
> existing RFCs".  

There are plenty of other DNS-related RFCs that I doubt you comply with because no one cares about them. However, that kind of language is unfortunately not rare.

> I'm not sure that was the authors' intention.

Our intention, is stated in the first sentence of the Introduction:
   This document aims to provide guidance to implementers who want to simply enable protection against passive network observers.
The "who want" is the key here. There is absolutely no expectation that everyone will implement it. This is no different than, say, QNAME minimization.

> For example, section 3 says:
> 
>   An authoritative server implementing the protocol described in this
>   document MUST implement at least one of DoT or DoQ on port 853.
> 
> I can think of a couple ways this guidance could be improved:
> 
> 1. The document could be split into two separate documents for clients
>   and servers, and the server document could be given Experimental status.
> 
> 2. Clarify that this protocol is optional for servers to deploy.  For example:
> 
>   The protocol described in this document is OPTIONAL for authoritative
>   servers.  An authoritative server choosing to implement the
>   protocol described in this document MUST implement at least one
>   of DoT or DoQ on port 853.

Thanks, that sounds good, and we will make that change, and as similar one for resolvers: it is OPTIONAL for them as well.


> Also as a point of semantics, when this document uses "implement"
> I think maybe it really means "deploy"?  I've always thought that
> implementation is what developers do and deployment is what operators
> do.  That is the approach taken with RFCs 7766 (DNS Transport over
> TCP - Implementation Requirements) and 9210 (DNS Transport over TCP
> - Operational Requirements).

The document is talking about both. The mechanics have to be in the implementation, but they have to be turned on in configuration by the operator deploying the implementation.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email