IETF Logo Mail Archive

Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing

Philip Homburg <pch-ietf-dprive@u-1.phicoh.com> Wed, 07 June 2023 08:05 UTC

Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B26AC14CE3B for <dns-privacy@ietfa.amsl.com>; Wed, 7 Jun 2023 01:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dYG7-c_rxdnS for <dns-privacy@ietfa.amsl.com>; Wed, 7 Jun 2023 01:05:37 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [45.83.6.19]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9C78C14CE47 for <dns-privacy@ietf.org>; Wed, 7 Jun 2023 01:05:33 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1q6oAa-0000KqC; Wed, 7 Jun 2023 10:05:28 +0200
Message-Id: <m1q6oAa-0000KqC@stereo.hq.phicoh.net>
To: dns-privacy@ietf.org
Cc: Paul Hoffman <paul.hoffman@icann.org>
From: Philip Homburg <pch-ietf-dprive@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> <45ada5a8-b483-dae7-eb56-88411fb2f75c@innovationslab.net> <7a3cd83a-b80d-f00d-b050-0a1d4845146b@innovationslab.net> <D7C916AC-E47D-45FE-9976-188DAE0775EF@icann.org> <CADyWQ+HMj5NH1g_oCTNxYkGDmp2L3EwmMyOv2-bXeXvp5kvm0A@mail.gmail.com> <6B55CCC0-069F-43DD-B9DA-024E4334D6F4@icann.org> <20c5ac1666e4428b8ffa70c7b9e8a19c@verisign.com> <CADyWQ+HJ7ZLWfwxr6vb9HsERMJXuu-1zD_=cr4S+mZ1ieWrYwQ@mail.gmail.com> <0007CDA7-ADD3-43BB-B5D3-3B1810206E0E@icann.org> <8fbed8926b3f4e28b9f3f76a85e0b619@verisign.com> <CANMuhxt5cE--GUtapEL69dFkAFSU5dF3psMCgNRKj8_dXpsFLA@mail.gmail.com> <ABE27A4A-BA96-4505-A3E3-1FE83CAA5A63@icann.org> <m1q6YGM-0000KoC@stereo.hq.phicoh.net> <3B79D45A-1F95-4A4A-9F8D-D3D9C424B4B2@icann.org>
In-reply-to: Your message of "Tue, 6 Jun 2023 15:21:51 +0000 ." <3B79D45A-1F95-4A4A-9F8D-D3D9C424B4B2@icann.org>
Date: Wed, 07 Jun 2023 10:05:26 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/bva1qHvaP5muKjxnkzxabiCtOIU>
Subject: Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 08:05:41 -0000

> We still have time to add those known operational considerations.
> In fact, we should be listing those even if this is an experimental
> RFC.

The experiment could just be to gain operational experience. We can be upfront
that we don't know what will happen, and encourage people to be careful.

> If so, they are not following the draft:
> 
> An authoritative server implementing DoT or DoQ MUST authoritatively
> serve the same zones over all supported transports.  If both DoT
> and DoQ are offered, a nameserver's reply to a particular query
> MUST be the same on both transports (with the possible exception
> of how the TC bit is set).
> 
> Which authoritative servers are serving different content on 853,
> and what are the differences? We should certainly discuss that in
> the draft.

Of course they are not following this draft. After all this is just a draft.
They are following RFC 7858 (DoT) and are running a recursive resolver on
this port. I don't know if they also have a recursor on port 53, that is very
well possible. The problem is that they have an authoritative on 53 but not
on 853.

The problem is that this draft is essentially updating RFC 7858 without
explicitly doing so. 

> How to reach them: no idea. How to deal with that: it's prohibited
> with MUST-level language.

The obvious 'solution' is to move this draft to a new port, because 853 is
already in use for other traffic.

Just adding a MUST that is in conflict with current practice makes for a poor
standard. If the problem is small, then experimental is fine and we can
start telling people that they have to stop doing this. 

> Are you talking about authoritative servers or the client-facing
> side of recursive resolvers? If the latter, that's very clearly
> out of scope for this document (or any document other than the DoT
> spec). But if it authoritative servers doing something else on 853,
> we should certainly cover it.

Yes, I'm talking about recursive. And that's why I said, the operational
aspects are not sufficiently discussed. Marking recursive out of scope does
not help when other recursive resolvers connect to such servers.

> If you have suggestions for what more could be said, we'd be happy
> to add them. Note that the DNS traffic will not automatically switch
> to TLS or QUIC: probe traffic will increase. The DNS traffic will
> only switch if the authoritative server operators turn on the
> service. The increase in probe traffic is covered throughout the
> document, but if you think that adding more in a particular place
> would help reduce negative impacts, please say where and we can
> add it.

No, I'm saying it should be experimental because we don't know and should
experiment. 

> I don't understand this. All security protocols are optional. The
> existence of this draft, when it becomes an RFC, does not force
> any client to use it, just as no resolver is forced to set the DO
> bit on queries and then interpret the DNSSEC material in the
> responses.

Usually, if you say you implement a security standard, it should actually be
secure if you follow the standard. It is a bad security standard, if the
standard says that you can stop being secure if you are overloaded. That
only leads to problems later on.

What if TLS would say that you can stop encrypting data if you get overloaded.
People would get very upset.

> Yep, that's what we are discussing. What criteria would you use to
> determine the success of the experiment?

The success of the experiement is that operational issues are documented,
including operational practices and the feedback of the experiment is
used in a new draft that is intended to become a standard.

>From https://www.ietf.org/standards/process/informational-vs-experimental/

"If the IETF may publish something based on this on the standards track once we know how well this one works, it's Experimental. This is the typical case of not being able to decide which protocol is "better" before we have experience of dealing with them from a stable specification. Case in point: "PGM Reliable Transport Protocol Specification" (RFC 3208)"

So I think it best to no longer delay this draft, publish it as experimental
and gain experience in how this actually works.

v2.23.0 | Report a Bug | By Email