Re: [dns-privacy] Addressing the DISCUSS points raised by the IESG on draft-ietf-dprive-xfr-over-tls-11
Ben Schwartz <bemasc@google.com> Wed, 05 May 2021 14:00 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 176233A0C7D for <dns-privacy@ietfa.amsl.com>; Wed, 5 May 2021 07:00:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Byq2QuxTnx2b for <dns-privacy@ietfa.amsl.com>; Wed, 5 May 2021 07:00:13 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68BD43A0C7E for <dns-privacy@ietf.org>; Wed, 5 May 2021 07:00:13 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id a10-20020a05600c068ab029014dcda1971aso1387415wmn.3 for <dns-privacy@ietf.org>; Wed, 05 May 2021 07:00:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KTBVZesgEnnTnnnRzRfB2Ls9KkN+7R1s9fOrPWXAlLU=; b=JS5rIkoetEuEOsIBbbWfUINtlMM3fs3h2HXCiaGktZlFadOHID6r00tw5X8qj3JNSF xBLNW5h6y48p0bkc370F/Vkd1GNDMEkENdkXiYbyxq0/FMC9moxA6zAJkUtwz+5Hw7yr OCxb2NngdKJm/Gb9By59HrXkL1zGQbk8tKsZfQ7UvtZ7YU64lmK3rAZuQTqEPWJJI1wS gurOuW0NNVbircuud2Adh9tUNncECZHnU/oBpOFWs3bdd6FxFpv4AJVfemzugqrtWdZK oU5Fv7FM+T4N55Umqn9qXBr1/qvA89HkDORuQV/qV+jMhxrsZGviFmV11K6IlvEGVETc cgrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KTBVZesgEnnTnnnRzRfB2Ls9KkN+7R1s9fOrPWXAlLU=; b=P/Lar4coe3ZqkcZX56Rv2+ih4xDeM4WTQdd21zBEhHe8uMWXpfhs5pw3ZF4gxhShAl Ecov0dYJpCKVSlr4gNOYxo6DHcMdFHiV52Cm11nSCsSISrpPmWcd7Zx2boPo2XpBLwUE Oaeww4ur4dljwH/0L5bpv08ncARfz4Q9yob5JgRIc+4cyDSpXn54KDanCk7+zV+5fXEE Zn930OYd6Jjn5UoEAwXnm7JXO+vBUnhQkkxmsycdghZzLcyLrZUb3ryOT40pq0USbolH d265MRVYIREaGvE7FSqpnMonbGlYI75PdQZcE9xlmILnswYtxY6qC08L9pKftY7pLjjo OShA==
X-Gm-Message-State: AOAM530UN05Hr/M7kTmzcGx4e6xQAhLMrehPwLXx3VxafDelweRirFFv XaYjrbmP/4fgU51pSJHy+DSjAiY2VC0C63XUA/8h1g==
X-Google-Smtp-Source: ABdhPJxDP4ItAK2Ng2YVaNnQ0ev5fp0XsXIyzDdekI3J5vtKPYeBPtPybOjv31BQa/OdYra1+clQWGxRfHSOnYWNmNE=
X-Received: by 2002:a1c:4482:: with SMTP id r124mr10124878wma.42.1620223206491; Wed, 05 May 2021 07:00:06 -0700 (PDT)
MIME-Version: 1.0
References: <1567B94D-F531-4E79-921E-0873FC4B5E06@cisco.com>
In-Reply-To: <1567B94D-F531-4E79-921E-0873FC4B5E06@cisco.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 05 May 2021 06:59:55 -0700
Message-ID: <CAHbrMsAGMTDKujKbxex6LRANdJOmpwgfjFsPjBr0T2jnMd4DwA@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "allison.mankin@gmail.com" <allison.mankin@gmail.com>, "shivankaulsahib@gmail.com" <shivankaulsahib@gmail.com>, "sara@sinodun.com" <sara@sinodun.com>, Benjamin Kaduk <kaduk@mit.edu>, "willem@nlnetlabs.nl" <willem@nlnetlabs.nl>, Martin Duke <martin.h.duke@gmail.com>, "paras@salesforce.com" <paras@salesforce.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000b3fcff05c1959c99"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/asADbFA1aTUQ2ohbeeZkg-juuw0>
Subject: Re: [dns-privacy] Addressing the DISCUSS points raised by the IESG on draft-ietf-dprive-xfr-over-tls-11
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 14:00:18 -0000
ALPN: I think we should say that the ALPN is "dot", and use of ALPN is OPTIONAL. ACLs: IP ACLs, if present, should be applied before the TLS handshake, for DoS defense. Operators who want to maintain secret zone contents SHOULD use cryptographic authentication instead. On Tue, May 4, 2021 at 11:15 PM Eric Vyncke (evyncke) <evyncke= 40cisco.com@dmarc.ietf.org> wrote: > [Message sent to authors, WG, and the DISCUSS-holding area directors] > > > > As you have seen by now[1], this document has raised at least two blocking > DISCUSS points and those points will be discussed during Thursday 6th of > May telechat (i.e., tomorrow in my timezone). > > > > My own reading of those DISCUSS ballots (perhaps more ballots to come): > > - not using ALPN code > > - text about the comparison between IP ACL and crypto authentications > > > > If possible, then I would appreciate some replies before the telechat by > the authors on the recent Ben Kaduk’s points as Allison Mankin’s reply [2] > (as well as Sara Dickinson’s ones) has already addressed Martin Duke’s > concern about ALPN. > > > > The WG view on using ALPN is also important to move forward as it is an > important technical change. > > > > As usual, everyone is welcome to join the telechat [3] as observer, it > should be a short one. > > > > Thank you in advance for your replies (again if possible), > > > > Regards > > > > -éric > > > > [1] > https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/ballot/ > > [2] > https://mailarchive.ietf.org/arch/msg/dns-privacy/HaQ7SO8Ma9TW3v0Wrh18LD6BNy8/ > > [3] > https://mailarchive.ietf.org/arch/msg/ietf-announce/X7t76SwcK1fjMQsGb2Wy11R-cnw/ > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Addressing the DISCUSS points raise… Eric Vyncke (evyncke)
- Re: [dns-privacy] Addressing the DISCUSS points r… Ben Schwartz