[dns-privacy] draft-ietf-core-dns-over-coap-01 (was [DNSOP] [core] WGA call for draft-lenders-dns-over-coap)
Martine Sophie Lenders <m.lenders@fu-berlin.de> Wed, 26 October 2022 13:08 UTC
Return-Path: <mlenders@zedat.fu-berlin.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B3CC1524A6; Wed, 26 Oct 2022 06:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.204
X-Spam-Level:
X-Spam-Status: No, score=-4.204 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgOc1-jz2Gb9; Wed, 26 Oct 2022 06:08:29 -0700 (PDT)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D10EC14F724; Wed, 26 Oct 2022 06:08:27 -0700 (PDT)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.95) with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (envelope-from <mlenders@zedat.fu-berlin.de>) id 1ong8v-000HCR-1a; Wed, 26 Oct 2022 15:08:25 +0200
Received: from 053dbcaa.dynamic.tele-ag.de ([5.61.188.170] helo=[192.168.101.6]) by inpost2.zedat.fu-berlin.de (Exim 4.95) with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (envelope-from <m.lenders@fu-berlin.de>) id 1ong8u-002mER-Rk; Wed, 26 Oct 2022 15:08:25 +0200
Message-ID: <563a0746-8f9f-acde-ddab-7fdf7f9d51d3@fu-berlin.de>
Date: Wed, 26 Oct 2022 15:08:24 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0
To: Ben Schwartz <bemasc@google.com>
Cc: core@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, dnsop <dnsop@ietf.org>
References: <CAHbrMsCdGhzw1WOm19KopKgAD2akReq_e0MfQbSQxpgS1hBixg@mail.gmail.com> <F32209CA-4EE3-4774-BD0F-C20DA2204E31@tzi.org> <402da239-3dd1-afa3-93ee-4a1602caa2d4@fu-berlin.de> <CAHbrMsDjGgVQmiaEPNigsOnW3QogLDyCt8kaR96_VH1AapHzzA@mail.gmail.com> <8797db06-da03-1ea1-ccc0-ed7ce323951e@fu-berlin.de> <CAHbrMsCW-bX2GEr9gwOhXYDLS_TFfXMLLRkt17Lp55U4apXYhQ@mail.gmail.com>
Content-Language: en-US
From: Martine Sophie Lenders <m.lenders@fu-berlin.de>
In-Reply-To: <CAHbrMsCW-bX2GEr9gwOhXYDLS_TFfXMLLRkt17Lp55U4apXYhQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Original-Sender: m.lenders@fu-berlin.de
X-Originating-IP: 5.61.188.170
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/a68ZVfIfOZCOfrDCDtJegFM0UdA>
Subject: [dns-privacy] draft-ietf-core-dns-over-coap-01 (was [DNSOP] [core] WGA call for draft-lenders-dns-over-coap)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2022 13:08:31 -0000
Hello Ben, Thanks for the feedback! We will account for that in the next version of the DoC draft (-02) ASAP. Some discussion regarding the ALPN ID (3) already started here: https://github.com/core-wg/draft-dns-over-coap/issues/22, something similar for OSCORE might also be required. Best Martine On 24.10.22 22:12, Ben Schwartz wrote: > Thanks for this update. I think the DoC draft is much improved by this > separation. > > On DoC: > > 0. Why isn't DoH via CoAP gateway sufficient? The draft should > explain. If the answer is message size overhead, please put a number on it. > > 1. The TTL rewriting proposed here is notably different from DoH. I > think I understand the reason for the divergence but it's not explained > in the draft. > > 2. Does DoC live at a URI path? I assume it does, but I couldn't tell > from the draft. If so, consider defining a default path, if this is a > common practice in CoAP. In HTTP, default paths are generally > forbidden, so DoH doesn't have one. This has been inconvenient. > > 3. I recommend adding a section describing how to bootstrap DoC in a > SVCB-DNS record. I think this may require you to allocate a new ALPN ID > for CoAP/DTLS (e.g. "coap-dtls"). > > -------- > > I don't think the "compact DNS" proposal is worthwhile, at least in the > current framing. The normal DNS message format is already quite well > optimized for compactness, and recursive resolvers rarely return > something that is unlikely to be useful. I think this draft would have > a really minimal impact on the typical message size distribution. Also, > DNS is typically used to bootstrap something else, so a small savings in > DNS overhead becomes negligible for the system as a whole. > > The draft also seems to contain a misconception about what is optional > in CNAME handling: there is no situation in which a stub resolver will > chase a CNAME chain. That is always the recursive resolver's job. > > On Mon, Oct 24, 2022 at 2:25 PM Martine Sophie Lenders > <m.lenders@fu-berlin.de <mailto:m.lenders@fu-berlin.de>> wrote: > > Hi! > > Am 21.09.22 um 21:31 schrieb Ben Schwartz: > > Preparing a separate document on compact DNS seems like a fine > start to me. > > We just published Version -01 of the draft [1]. The most significant > change in regard to this discussion is that Section 5.1 was now > moved to > its own draft [2]. We are happy to discuss this, e.g., in the DNSOP WG > meeting or F2F during a break at IETF 115, if the WG meeting agenda > does > not allow for this anymore. > > The full listing of changes to the DoC draft can be found in Appendix A > of [1]. > > Cheers > Martine > > [1] > https://datatracker.ietf.org/doc/draft-ietf-core-dns-over-coap/01/ > <https://datatracker.ietf.org/doc/draft-ietf-core-dns-over-coap/01/> > [2] https://datatracker.ietf.org/doc/draft-lenders-dns-cns/ > <https://datatracker.ietf.org/doc/draft-lenders-dns-cns/> > > > > > On Wed, Sep 21, 2022 at 4:32 AM Martine Sophie Lenders > > <m.lenders@fu-berlin.de <mailto:m.lenders@fu-berlin.de> > <mailto:m.lenders@fu-berlin.de <mailto:m.lenders@fu-berlin.de>>> wrote: > > > > Hi Ben, Hi Carsten, > > > > thanks for your suggestions, Ben! It seems a good idea to clarify > > options for compactification of DNS messages in a separate > document, > > since the compactification is indeed not bound to CoAP. We will > > prepare such a draft until the cut-off for IETF 115, so we can > > discuss whether we keep or remove Section 5.1 at the IETF > meeting in > > London. Would that work for you? > > > > I tend to agree with Carsten. At least with the current > wording (or > > the proposed), the restatements may lead to confusion, but some > > guidelines for the constrained use case should IMHO be part > of the > > document, even if only in reference to the new document proposed. > > > > Best > > Martine > > > > Am 20.09.22 um 18:17 schrieb Carsten Bormann: > >> I think we are falling into the restatement antipattern. > >> > >> This antipattern happens when documents restate mandates from > >> their references, invariably creating confusion if this is > just a > >> restatement or actually new normative text that replaces or > >> updates text from the dependency. Don’t do that. > >> > >> Examples can be put into their own section and clearly marked as > >> such. > >> > >> Grüße, Carsten > >> > >> Sent from mobile, sorry for terse > >> > >>> On 20. Sep 2022, at 17:12, Ben Schwartz > >>> <bemasc=40google.com@dmarc.ietf.org > <mailto:40google.com@dmarc.ietf.org>> > >>> <mailto:bemasc <mailto:bemasc>=40google.com@dmarc.ietf.org > <mailto:40google.com@dmarc.ietf.org>> wrote: > >>> > >>> > >>> Martine, > >>> > >>> Thanks for the proposed updated text regarding CNAMEs. I agree > >>> that it is an improvement, but I still think it would be better > >>> to omit entirely. By writing that implementations SHOULD > follow > >>> RFC 1034, you imply that they are permitted not to, which seems > >>> objectionable. I think it would be much clearer to simply say > >>> that use of DoC does not alter the DNS message contents. > >>> > >>> I feel similarly about the Additional section. If you > think that > >>> it would be useful to deviate from ordinary practices regarding > >>> the Additional section, I think this should be in a separate > >>> draft on compact DNS responses, not coupled to DoC. For > example, > >>> such compactification might be even more relevant to UDP Do53 > >>> than to DoC. > >>> > >>> --Ben > >>> > >>> On Mon, Sep 19, 2022 at 7:30 AM Martine Sophie Lenders > >>> <m.lenders@fu-berlin.de <mailto:m.lenders@fu-berlin.de> > <mailto:m.lenders@fu-berlin.de <mailto:m.lenders@fu-berlin.de>>> wrote: > >>> > >>> Hi, > >>> > >>> Sorry for the late reply, I was away from any keyboard for > >>> the past two weeks. > >>> > >>> I think there might be a misunderstanding regarding the > CNAME > >>> behavior, due to some poor wording in our draft: The CNAMEs > >>> should, of course, only be resolved in such a way, if the > >>> queried record was an A or AAAA record. This does not, > to my > >>> understanding, contradict the behavior described for CNAMEs > >>> in RFC 1034. We propose a different wording for the first > >>> sentence in 5.1 to prevent such misunderstandings in > the future: > >>> > >>> In the case of CNAME records in a DNS response to > an A or > >>> AAAA record query, a DoC server SHOULD follow common DNS > >>> resolver behavior [RFC1034 > >>> > <https://www.ietf.org/archive/id/draft-ietf-core-dns-over-coap-00.html#RFC1034 <https://www.ietf.org/archive/id/draft-ietf-core-dns-over-coap-00.html#RFC1034>>] by resolving a CNAME until the originally requested resource record type is reached. > >>> > >>> Regarding the population of the additional section, we also > >>> follow recommendations in RFC 1034, to only include records > >>> useful to the client. We deem this particularly noteworthy > >>> when it comes to DNS, as from our analysis of DNS traffic, > >>> responses can become quite large due to an abundance of > >>> records in the Additional section. With the message size > >>> constraints in LLNs, it might thus be necessary to > prune the > >>> DNS message for records actually useful to the querying DoC > >>> client. > >>> > >>> Lastly, mind, that, at least in our model for DoC, a DoC > >>> client does not further distribute the information it > >>> gathered via DoC. > >>> > >>> Regards > >>> Martine > >>> > >>> Am 06.09.22 um 17:06 schrieb Ben Schwartz: > >>>> Some further notes on this draft. > >>>> > >>>> Section 5.1 says that a DoC server "SHOULD" follow > CNAMEs. > >>>> This is a misunderstanding of the nature of DNS > transports. > >>>> DoC is a DNS transport, like DoT and DoH. The choice of > >>>> transport is independent of the DNS server's answering > >>>> behavior, which must not be modified by the transport. > >>>> Indeed, DPRIVE is now chartered to enable the use of > >>>> alternate transports for recursive-to-authoritative > queries > >>>> for which CNAME following has entirely different rules. > >>>> This is possible precisely because the choice of transport > >>>> does not alter the logical DNS contents. > >>>> > >>>> Section 5.1 also proposes that the population of the > >>>> Additional section might follow different logic when > using DoC. > >>>> > >>>> Modifying the logical DNS behavior would create a wide > range > >>>> of exciting and unpredictable compatibility issues when > >>>> trying to use a new transport. I urge the authors to > delete > >>>> Section 5.1, which would resolve this problem. The draft > >>>> could instead note that the DNS queries and responses are > >>>> not modified when using DoC, except under private > >>>> arrangement between the client and server. > >>>> > >>>> On Fri, Sep 2, 2022 at 12:20 PM Jaime Jiménez > <jaime@iki.fi <mailto:jaime@iki.fi> > >>>> <mailto:jaime@iki.fi <mailto:jaime@iki.fi>>> wrote: > >>>> > >>>> Dear CoRE WG, > >>>> > >>>> Thanks to the authors and the reviewers that provided > >>>> comments on the list for this draft. Given the in-room > >>>> support and the list discussion during the WGA the > >>>> chairs believe that there is sufficient support > for the > >>>> adoption of this document in CoRE. > >>>> > >>>> The authors are advised to resubmit the > >>>> draft-core-dns-over-coap and to set up a document repo > >>>> under the CoRE Github organization at > >>>> https://github.com/core-wg <https://github.com/core-wg> > <https://github.com/core-wg <https://github.com/core-wg>> > >>>> > >>>> BR, > >>>> > >>>> Jaime Jiménez on behalf of the CoRE chairs. > >>>> > >>>> On 15.8.2022 11.26, Jaime Jiménez wrote: > >>>>> Dear CoRE WG, > >>>>> > >>>>> We would like to start the call for adoption on > draft-lenders-dns-over-coap. > >>>>> The draft defines a protocol for sending DNS > messages over secure CoAP (DTLS and/or OSCORE). The draft was > discussed during IETF114 and on IETF113 and was well-received by the > group. > >>>>> > >>>>> https://datatracker.ietf.org/doc/draft-lenders-dns-over-coap/ > <https://datatracker.ietf.org/doc/draft-lenders-dns-over-coap/> > <https://datatracker.ietf.org/doc/draft-lenders-dns-over-coap/ > <https://datatracker.ietf.org/doc/draft-lenders-dns-over-coap/>> > >>>>> > >>>>> During the last IETF meeting there were no > objections for adoption so we confirm this now on the mailing list. > Please let us know if you support adopting this draft. As many > people will still be on vacation, we the WGA call will last a couple > of weeks, ending the/1st of September/. > >>>>> > >>>>> Note that DNSOP and DPRIVE are in the loop as the > draft is relevant for their working groups too. > >>>>> > >>>>> BR, > >>>>> -- > >>>>> Jaime Jiménez > >>>>> > >>>>> _______________________________________________ > >>>>> core mailing list > >>>>> core@ietf.org <mailto:core@ietf.org> <mailto:core@ietf.org > <mailto:core@ietf.org>> > >>>>> https://www.ietf.org/mailman/listinfo/core > <https://www.ietf.org/mailman/listinfo/core> > <https://www.ietf.org/mailman/listinfo/core > <https://www.ietf.org/mailman/listinfo/core>> > >>>> > >>>> -- > >>>> Jaime Jiménez > >>>> > >>>> _______________________________________________ > >>>> DNSOP mailing list > >>>> DNSOP@ietf.org <mailto:DNSOP@ietf.org> <mailto:DNSOP@ietf.org > <mailto:DNSOP@ietf.org>> > >>>> https://www.ietf.org/mailman/listinfo/dnsop > <https://www.ietf.org/mailman/listinfo/dnsop> > >>>> <https://www.ietf.org/mailman/listinfo/dnsop > <https://www.ietf.org/mailman/listinfo/dnsop>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> core mailing list > >>>> core@ietf.org <mailto:core@ietf.org> <mailto:core@ietf.org > <mailto:core@ietf.org>> > >>>> https://www.ietf.org/mailman/listinfo/core > <https://www.ietf.org/mailman/listinfo/core> > <https://www.ietf.org/mailman/listinfo/core > <https://www.ietf.org/mailman/listinfo/core>> > >>> > > > > ____ _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org <mailto:DNSOP@ietf.org> <mailto:DNSOP@ietf.org > <mailto:DNSOP@ietf.org>> > > https://www.ietf.org/mailman/listinfo/dnsop > <https://www.ietf.org/mailman/listinfo/dnsop> > > <https://www.ietf.org/mailman/listinfo/dnsop > <https://www.ietf.org/mailman/listinfo/dnsop>> > > >
- [dns-privacy] WGA call for draft-lenders-dns-over… Jaime Jiménez
- Re: [dns-privacy] [core] WGA call for draft-lende… Jaime Jiménez
- Re: [dns-privacy] [core] WGA call for draft-lende… Tim Wicinski
- Re: [dns-privacy] [core] WGA call for draft-lende… Ted Lemon
- Re: [dns-privacy] [core] WGA call for draft-lende… Carsten Bormann
- Re: [dns-privacy] [core] WGA call for draft-lende… Ted Lemon
- Re: [dns-privacy] [core] WGA call for draft-lende… Carsten Bormann
- Re: [dns-privacy] [core] WGA call for draft-lende… Martine Sophie Lenders
- Re: [dns-privacy] [core] WGA call for draft-lende… Ted Lemon
- Re: [dns-privacy] [core] WGA call for draft-lende… Matthias Waehlisch
- Re: [dns-privacy] [core] WGA call for draft-lende… Jaime Jiménez
- Re: [dns-privacy] [core] WGA call for draft-lende… Jaime Jiménez
- Re: [dns-privacy] [DNSOP] [core] WGA call for dra… Ben Schwartz
- Re: [dns-privacy] [DNSOP] [core] WGA call for dra… Vladimír Čunát
- Re: [dns-privacy] [DNSOP] [core] WGA call for dra… Alexander Mayrhofer
- Re: [dns-privacy] [core] [DNSOP] WGA call for dra… Martine Sophie Lenders
- Re: [dns-privacy] [core] [DNSOP] WGA call for dra… Ben Schwartz
- Re: [dns-privacy] [core] [DNSOP] WGA call for dra… Carsten Bormann
- Re: [dns-privacy] [core] [DNSOP] WGA call for dra… Martine Sophie Lenders
- Re: [dns-privacy] [DNSOP] [core] WGA call for dra… Ben Schwartz
- Re: [dns-privacy] [DNSOP] [core] WGA call for dra… Martine Sophie Lenders
- Re: [dns-privacy] [DNSOP] [core] WGA call for dra… Ben Schwartz
- [dns-privacy] draft-ietf-core-dns-over-coap-01 (w… Martine Sophie Lenders