IETF Logo Mail Archive

Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)

"Wessels, Duane" <dwessels@verisign.com> Wed, 09 March 2016 21:42 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3DD612D589 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 13:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nie3uOCdprT for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 13:42:38 -0800 (PST)
Received: from mail-qg0-x264.google.com (mail-qg0-x264.google.com [IPv6:2607:f8b0:400d:c04::264]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48E0B12D5AA for <dns-privacy@ietf.org>; Wed, 9 Mar 2016 13:39:52 -0800 (PST)
Received: by mail-qg0-x264.google.com with SMTP id p68so6048751qge.0 for <dns-privacy@ietf.org>; Wed, 09 Mar 2016 13:39:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:content-id :content-transfer-encoding:mime-version; bh=PCxxc1P/imV+tPS7wdUufS1FL44SNJSNbgtvaKArrJw=; b=WcU6760dCge97kICNcIFpXvFeU4kCddi7TnLW8iMyi10wB6GEpBUoW5Utio7RdzKzF Yf4foY2GuwJ5qXzfaJ3TiBaTQ19HxDg3pqzduV1fShEI12kiBEt7FQbvf7L6Ioo22kvs PyWadF2Dap7dLykPW2DJG8aamnomzuDDeO5RTfE/nRVf0/fVQz6ZfmJEoBsGp/bd0lW5 vALTuEDHiz7FvpfH1Ar3mgRzaYDwZ9L78KLhSZVy1FVmxxMrg+IOXH1Z22kN87hYPmWC MDe6EIjuXd2fgbowsFlsuZ5kFLnZMTp3CaDBrYkdj3XqLBKKdX73O1lmQC5d5rNP0bp4 LIww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-id:content-transfer-encoding:mime-version; bh=PCxxc1P/imV+tPS7wdUufS1FL44SNJSNbgtvaKArrJw=; b=W7oC2L69A497+QrGNyiNb/UBMeABQ3YNEobfoTc0HvfwGaKI54IoMkggWhW49rbJrj L5tHIMQdfsAPn+RY5mEic2hLm1Qcu53UkM1ltelVKNV6+DrzHwyfJM55VozuIQ6+dg95 aFvcJK8zi9hIjsgCzZuX45EXLo7dY9Xpeb7//d1HkzgkQ/XBA9wMdKmf3D+0QfvDO2R7 G0firSJt17WJZ3aap0u+gl8GvQgm7glu1MWsmRtxIyLvBgBk0ZGQyeQTexc7oNdXU1FT i2Nxt57C36pEr8rpu50If5BDSCcgIPRNj3CLbfGCTzZyCNo4f+cR/QLYsEytNn0gN4mh +pYQ==
X-Gm-Message-State: AD7BkJLp3EBHEODPguO7HTJKkr+c5HSCpmvJ/GczQMicC8fXIJnHGEqWWaKTAJuOKSuI98slm3wPs1+jc6Ae40uttEDtebiW
X-Received: by 10.140.98.163 with SMTP id o32mr687125qge.46.1457559591138; Wed, 09 Mar 2016 13:39:51 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id c62sm99750qkb.0.2016.03.09.13.39.50 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 09 Mar 2016 13:39:51 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u29Ldn69026286 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 9 Mar 2016 16:39:50 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 9 Mar 2016 16:39:47 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
Thread-Index: AQHReg6xm11l7pQYoEaC41e3MKdhUJ9Rxu8AgAAq3oCAAAY4gA==
Date: Wed, 09 Mar 2016 21:39:47 +0000
Message-ID: <CF8F04AC-4113-4CF1-BC56-80D56B3278EA@verisign.com>
References: <20160309141923.27481.29744.idtracker@ietfa.amsl.com> <B870977A-D693-491E-B0FF-B97120C98CD8@verisign.com> <56E092D9.6070703@cs.tcd.ie>
In-Reply-To: <56E092D9.6070703@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <36273A140E4E0346BEA4473D2E1FD236@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/_D26nD6gxkMBqLqoOiVCifOSO3U>
Cc: Allison Mankin <allison.mankin@gmail.com>, "draft-ietf-dprive-dns-over-tls@ietf.org" <draft-ietf-dprive-dns-over-tls@ietf.org>, Sara Dickinson <sara@sinodun.com>, The IESG <iesg@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 21:42:39 -0000

> On Mar 9, 2016, at 1:17 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
>> 
>>> 
>>> - 3.2: "make use of trusted a SPKI Fingerprint pinset" needs to be
>>> rephrased.
>> 
>> Do you say that because SPKI is not spelled out at this point, or
>> something else?  We've since expanded SPKI here.
> 
> No "trusted a SPKI" seems like Yoda-speak is all:-)

Okay, wow... I must've read that at least five times today and not noticed.


> 
>> 
>>> 
>>> - 3.4, 2nd last para: this recommends using tickets (RFC5077), which
>>> is fine. RFC7525 (section 3.4) suggests changing tickets at least
>>> weekly. Is that suggestion also good here or would it be better to
>>> recommend (or suggest) some other ticket lifetime? I'd guess 
>>> it's fine but maybe you know better?
>> 
>> Ticket lifetime hasn't come up before, so I would assume the RFC7525
>> recommendation is fine.
>> 
>> 
>>> 
>>> - 4.1, RFC 7435 is about "opportunistic security" and not about
>>> "opportunistic encryption." That followed a long terminology debate,
>>> so you might want to s/encryption/security/ there. (But I don't care
>>> personally:-)
>> 
>> I've changed it to opportunistic encryption.
> 
> It was that before, though. Maybe you did s/encryption/security/
> which'd be fine.

Yes, sorry!

       <section title="Opportunistic Privacy Profile">
         <t>
           For opportunistic privacy, analogous to SMTP opportunistic
-          encryption <xref target="RFC7435"/> one does not require privacy,
+          security <xref target="RFC7435"/>, one does not require privacy,
          but one desires privacy when
           possible.
         </t>



>> 
>> How does this look to you?
>> 
>>       Since
>>       padding of DNS messages is new, implementations might need to
>>       support multiple types of padding or other mitigation techniques
>>       in response to traffic analysis threats.
> 
> I'd suggest instead:
> 
> "Since traffic analysis can be based on many kinds of pattern
> and many kinds of classifier, simple padding schemes may not
> by themselves be sufficient to mitigate the attack. Padding
> will however form a part of more complex mitigations for the
> traffic analysis attack that are likely to be developed over
> time. Implementers who can offer flexibility in terms of how
> padding can be used may be in a better position to enable such
> mitigations to be deployed in future."


Excellent, thank you.

DW

v2.23.0 | Report a Bug | By Email