IETF Logo Mail Archive

Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing

Ralf Weber <dns@fl1ger.de> Tue, 28 March 2023 12:30 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 236EAC15154D for <dns-privacy@ietfa.amsl.com>; Tue, 28 Mar 2023 05:30:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DrUGNvKVt85L for <dns-privacy@ietfa.amsl.com>; Tue, 28 Mar 2023 05:29:58 -0700 (PDT)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id 37E0CC14CE2B for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 05:29:54 -0700 (PDT)
Received: from [100.64.0.1] (dhcp-94a3.meeting.ietf.org [31.133.148.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id E50C85F405BC; Tue, 28 Mar 2023 12:29:50 +0000 (UTC)
From: Ralf Weber <dns@fl1ger.de>
To: dns-privacy@ietf.org
Date: Tue, 28 Mar 2023 21:29:46 +0900
X-Mailer: MailMate (1.14r5961)
Message-ID: <00209F39-7B17-483E-AFFF-69084F3FF105@fl1ger.de>
In-Reply-To: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net>
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/_AR7f1aZzwOy7scejgvoCXA9gVo>
Subject: Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 12:30:05 -0000

Moin!

On 13 Mar 2023, at 0:43, Brian Haberman wrote:
>      The chairs will note that the document is currently marked as Proposed Standard and that there has been a suggestion to move it to Experimental. If you have an opinion on the status at this time, please include it in your feedback to the WG mailing list. We will revisit the status of the document before it gets advanced to our AD.

As I don’t think probing for secure transport is a good idea and hope that we will come up with better solutions that follows the DNS delegation model. This will make this draft obsolet I think it is prudent to mark it experimental.

Overall I think the draft is going into too much implementation detail, which is shown by real world implementations having slightly different choices.

While I think using IP addresses for authoritative server selection is a natural choice there have been cases where an authoritative server on the same IP answers differently deepening on the domain asked, which will not work well with the detailed implementation of that draft.

Another thing I find a bit strange is that in
	4.6.7.  Handling Clean Shutdown of an Encrypted Transport Connection
The encrypted resolution is tried immediately again with no back off time. This makes it hard for the authoritative server that wants to limit resource exhaustion. Why are we not using the dampening timer here and instead force the authoritative server to have an unclean shutdown (4.6.5) in order to keep the client away for some time?

So long
-Ralf
——-
Ralf Weber

v2.23.0 | Report a Bug | By Email