Re: [dns-privacy] Last Call: <draft-ietf-dprive-bcp-op-07.txt> (Recommendations for DNS Privacy Service Operators) to Best Current Practice
Rob Sayre <sayrer@gmail.com> Thu, 19 December 2019 20:15 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E859E120B93; Thu, 19 Dec 2019 12:15:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nm90yOM4hLrX; Thu, 19 Dec 2019 12:15:46 -0800 (PST)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B67F4120A96; Thu, 19 Dec 2019 12:15:43 -0800 (PST)
Received: by mail-io1-xd43.google.com with SMTP id r13so7098634ioa.3; Thu, 19 Dec 2019 12:15:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fFHDL3WF6Hy/I1Di1dovsUpMi6oA+OmNoFN/IYSgLFA=; b=J5FVWXUZ7/QLKqzw3nYE1prqFXPB4GlUntqTbVoGhRQlmjYrRGvWuE7EhT++zkweWX Pg/GRJ6xrxfyaaYqKKpN7GtUY28hPgidPkoaAO4SDBRdek4gzN5Wi+k/sNKse7wP8xGS Qw+md2baIU5K/J2PpNiKCd7cWrTflSS2e0LosdZQndl5uiUn11EAKxYWxcmJWz4UZowc 68z/wg2z8DLVosryQcpZjTAHH6BUEhlny3d+/oclyH03lrGk2n+DjAnnCnp8kPxM80Yb Sjm0kWg/MBTdDuSjj5kQl2A/6iq1B4w9JP9ryCvjGMKOXm5RoO4/o8gzi1obCyKtImnG h+2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fFHDL3WF6Hy/I1Di1dovsUpMi6oA+OmNoFN/IYSgLFA=; b=lUsc6eQw0TORGWtk03904tEBYMJh9le6AuTDvMQjluu97SB54vf8V3ahswaHAlKJg+ dUiJtnOiBtOsVI5BjEdIhYHuSoz+gU1xM6YJYY1GBU6brhKkb9yVsZlv0Tw6kzekfDlf u+hFgNsNHrBqEIuDfVT9fXWFSvHO+ijzVKUkEAzvXv8UiTcOwSIrPsXCIMwBdesBWE1c s8Y/ujChpq02wBbZpXBgbd+G8Id6hYYte3h9fi6m9ApKJ1OTMeOwUAwGLQ4+FZqYuD3h ToEHI/VyL+U2f2v2rdwgqJUxd3mdILRGzPWHwETWg5Q3EMJ8N6nuMkxo3drfqILZrEyg uc8g==
X-Gm-Message-State: APjAAAWQ3CzceFKRsmMU3pWzq/riQ/ieaX/e+uHDrVMXxOBaJhnMSXhj u2dfmHK3o2BuVV/cigoFM7dGSdFOuoBJ9nbYe5uqIyOHb9g=
X-Google-Smtp-Source: APXvYqw/NfjeG0TsBkImXr0Ew/TPAWrnVkompoWLqx2Zwbp9N2UX7eoXrfWfNc1x/7TM90ow8qXHHUBtarD5L2z9h4c=
X-Received: by 2002:a02:b893:: with SMTP id p19mr8651955jam.103.1576786542589; Thu, 19 Dec 2019 12:15:42 -0800 (PST)
MIME-Version: 1.0
References: <157676591810.27491.5332518530732320835.idtracker@ietfa.amsl.com>
In-Reply-To: <157676591810.27491.5332518530732320835.idtracker@ietfa.amsl.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 19 Dec 2019 12:15:30 -0800
Message-ID: <CAChr6Sx4UfYkgnsqLmN467GQJ5Qayo0o3mfy7dCcLhzAduQAHw@mail.gmail.com>
To: last-call@ietf.org
Cc: IETF-Announce <ietf-announce@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dprive-bcp-op@ietf.org, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, DNS Privacy Working Group <dns-privacy@ietf.org>, dprive-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c1fca7059a14397e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/cxng_vfGqkyhj_SgMCPy5P1N1Ls>
Subject: Re: [dns-privacy] Last Call: <draft-ietf-dprive-bcp-op-07.txt> (Recommendations for DNS Privacy Service Operators) to Best Current Practice
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 20:15:49 -0000
Hi, I found two issues with draft-07. The document mentions unattributed "concerns" in a few places. That doesn't seem like helpful content, but I can't say that such "concerns" and rampant use of the passive voice are uncommon in today's IETF. Secondly, I found the entire section "3.5.1.5.2. DoH Specific Considerations" to be objectionable, and recommend removing it. It mentions many concerns that are better covered in RFC 8484 and/or HTTP RFCs, and contrasts DoH with DoT in ways that are specious. Both TLS and HTTP allow extension fields and metadata, so there's nothing unique to DoH here (source: I've implemented DoH and ESNI clients). The entire section amounts to a description of fields that privacy conscious DoH clients /might/ send if they were poorly implemented. But it seems strange to stop there. Implementation quality ratholes can go on for a while: for example, the document doesn't mention the numerous problems with today's TLS, PKI, and BGP infrastructure that apply to both DoT and DoH. thanks, Rob On Thu, Dec 19, 2019 at 6:32 AM The IESG <iesg-secretary@ietf.org> wrote: > > The IESG has received a request from the DNS PRIVate Exchange WG (dprive) > to > consider the following document: - 'Recommendations for DNS Privacy Service > Operators' > <draft-ietf-dprive-bcp-op-07.txt> as Best Current Practice > > The IESG plans to make a decision in the next few weeks, and solicits final > comments on this action. Please send substantive comments to the > last-call@ietf.org mailing lists by 2020-01-02. Exceptionally, comments > may > be sent to iesg@ietf.org instead. In either case, please retain the > beginning > of the Subject line to allow automated sorting. > > Abstract > > > This document presents operational, policy and security > considerations for DNS recursive resolver operators who choose to > offer DNS Privacy services. With these recommendations, the operator > can make deliberate decisions regarding which services to provide, > and how the decisions and alternatives impact the privacy of users. > > This document also presents a framework to assist writers of a DNS > Recursive Operator Privacy Statement (analogous to DNS Security > Extensions (DNSSEC) Policies and DNSSEC Practice Statements described > in RFC6841). > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > The document contains these normative downward references. > See RFC 3967 for additional information: > rfc8404: Effects of Pervasive Encryption on Operators (Informational - > IETF stream) > rfc8467: Padding Policies for Extension Mechanisms for DNS (EDNS(0)) > (Experimental - IETF stream) > rfc7828: The edns-tcp-keepalive EDNS0 Option (Proposed Standard - IETF > stream) > rfc8484: DNS Queries over HTTPS (DoH) (Proposed Standard - IETF stream) > rfc6973: Privacy Considerations for Internet Protocols (Informational > - IAB stream) > rfc7766: DNS Transport over TCP - Implementation Requirements > (Proposed Standard - IETF stream) > rfc6265: HTTP State Management Mechanism (Proposed Standard - IETF > stream) > rfc8310: Usage Profiles for DNS over TLS and DNS over DTLS (Proposed > Standard - IETF stream) > rfc7626: DNS Privacy Considerations (Informational - IETF stream) > rfc7830: The EDNS(0) Padding Option (Proposed Standard - IETF stream) > rfc7873: Domain Name System (DNS) Cookies (Proposed Standard - IETF > stream) > rfc7858: Specification for DNS over Transport Layer Security (TLS) > (Proposed Standard - IETF stream) > rfc7871: Client Subnet in DNS Queries (Informational - IETF stream) > draft-ietf-dprive-rfc7626-bis: DNS Privacy Considerations (None - IETF > stream) > rfc7816: DNS Query Name Minimisation to Improve Privacy (Experimental > - IETF stream) > > > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Last Call: <draft-ietf-dprive-bcp-o… The IESG
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… Rob Sayre
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… S Moonesamy
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… Rob Sayre
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… Roland van Rijswijk-Deij