Re: [dns-privacy] Addressing the DISCUSS points raised by the IESG on draft-ietf-dprive-xfr-over-tls-11

Ben Schwartz <bemasc@google.com> Wed, 05 May 2021 14:00 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 176233A0C7D for <dns-privacy@ietfa.amsl.com>; Wed, 5 May 2021 07:00:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Byq2QuxTnx2b for <dns-privacy@ietfa.amsl.com>; Wed, 5 May 2021 07:00:13 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68BD43A0C7E for <dns-privacy@ietf.org>; Wed, 5 May 2021 07:00:13 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id a10-20020a05600c068ab029014dcda1971aso1387415wmn.3 for <dns-privacy@ietf.org>; Wed, 05 May 2021 07:00:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KTBVZesgEnnTnnnRzRfB2Ls9KkN+7R1s9fOrPWXAlLU=; b=JS5rIkoetEuEOsIBbbWfUINtlMM3fs3h2HXCiaGktZlFadOHID6r00tw5X8qj3JNSF xBLNW5h6y48p0bkc370F/Vkd1GNDMEkENdkXiYbyxq0/FMC9moxA6zAJkUtwz+5Hw7yr OCxb2NngdKJm/Gb9By59HrXkL1zGQbk8tKsZfQ7UvtZ7YU64lmK3rAZuQTqEPWJJI1wS gurOuW0NNVbircuud2Adh9tUNncECZHnU/oBpOFWs3bdd6FxFpv4AJVfemzugqrtWdZK oU5Fv7FM+T4N55Umqn9qXBr1/qvA89HkDORuQV/qV+jMhxrsZGviFmV11K6IlvEGVETc cgrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KTBVZesgEnnTnnnRzRfB2Ls9KkN+7R1s9fOrPWXAlLU=; b=P/Lar4coe3ZqkcZX56Rv2+ih4xDeM4WTQdd21zBEhHe8uMWXpfhs5pw3ZF4gxhShAl Ecov0dYJpCKVSlr4gNOYxo6DHcMdFHiV52Cm11nSCsSISrpPmWcd7Zx2boPo2XpBLwUE Oaeww4ur4dljwH/0L5bpv08ncARfz4Q9yob5JgRIc+4cyDSpXn54KDanCk7+zV+5fXEE Zn930OYd6Jjn5UoEAwXnm7JXO+vBUnhQkkxmsycdghZzLcyLrZUb3ryOT40pq0USbolH d265MRVYIREaGvE7FSqpnMonbGlYI75PdQZcE9xlmILnswYtxY6qC08L9pKftY7pLjjo OShA==
X-Gm-Message-State: AOAM530UN05Hr/M7kTmzcGx4e6xQAhLMrehPwLXx3VxafDelweRirFFv XaYjrbmP/4fgU51pSJHy+DSjAiY2VC0C63XUA/8h1g==
X-Google-Smtp-Source: ABdhPJxDP4ItAK2Ng2YVaNnQ0ev5fp0XsXIyzDdekI3J5vtKPYeBPtPybOjv31BQa/OdYra1+clQWGxRfHSOnYWNmNE=
X-Received: by 2002:a1c:4482:: with SMTP id r124mr10124878wma.42.1620223206491; Wed, 05 May 2021 07:00:06 -0700 (PDT)
MIME-Version: 1.0
References: <1567B94D-F531-4E79-921E-0873FC4B5E06@cisco.com>
In-Reply-To: <1567B94D-F531-4E79-921E-0873FC4B5E06@cisco.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 5 May 2021 06:59:55 -0700
Message-ID: <CAHbrMsAGMTDKujKbxex6LRANdJOmpwgfjFsPjBr0T2jnMd4DwA@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "allison.mankin@gmail.com" <allison.mankin@gmail.com>, "shivankaulsahib@gmail.com" <shivankaulsahib@gmail.com>, "sara@sinodun.com" <sara@sinodun.com>, Benjamin Kaduk <kaduk@mit.edu>, "willem@nlnetlabs.nl" <willem@nlnetlabs.nl>, Martin Duke <martin.h.duke@gmail.com>, "paras@salesforce.com" <paras@salesforce.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000b3fcff05c1959c99"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/asADbFA1aTUQ2ohbeeZkg-juuw0>
Subject: Re: [dns-privacy] Addressing the DISCUSS points raised by the IESG on draft-ietf-dprive-xfr-over-tls-11
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 14:00:18 -0000

ALPN: I think we should say that the ALPN is "dot", and use of ALPN is
OPTIONAL.

ACLs: IP ACLs, if present, should be applied before the TLS handshake, for
DoS defense.  Operators who want to maintain secret zone contents SHOULD
use cryptographic authentication instead.

On Tue, May 4, 2021 at 11:15 PM Eric Vyncke (evyncke) <evyncke=
40cisco.com@dmarc.ietf.org> wrote:

> [Message sent to authors, WG, and the DISCUSS-holding area directors]
>
>
>
> As you have seen by now[1], this document has raised at least two blocking
> DISCUSS points and those points will be discussed during Thursday 6th of
> May telechat (i.e., tomorrow in my timezone).
>
>
>
> My own reading of those DISCUSS ballots (perhaps more ballots to come):
>
> - not using ALPN code
>
> - text about the comparison between IP ACL and crypto authentications
>
>
>
> If possible, then I would appreciate some replies before the telechat by
> the authors on the recent Ben Kaduk’s points as Allison Mankin’s reply [2]
> (as well as Sara Dickinson’s ones) has already addressed Martin Duke’s
> concern about ALPN.
>
>
>
> The WG view on using ALPN is also important to move forward as it is an
> important technical change.
>
>
>
> As usual, everyone is welcome to join the telechat [3] as observer, it
> should be a short one.
>
>
>
> Thank you in advance for your replies (again if possible),
>
>
>
> Regards
>
>
>
> -éric
>
>
>
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/ballot/
>
> [2]
> https://mailarchive.ietf.org/arch/msg/dns-privacy/HaQ7SO8Ma9TW3v0Wrh18LD6BNy8/
>
> [3]
> https://mailarchive.ietf.org/arch/msg/ietf-announce/X7t76SwcK1fjMQsGb2Wy11R-cnw/
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>