[dns-privacy] A Few More Suggestions for the Requirements Draft
"Hollenbeck, Scott" <shollenbeck@verisign.com> Mon, 19 April 2021 15:08 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4AD63A34CF for <dns-privacy@ietfa.amsl.com>; Mon, 19 Apr 2021 08:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izPU4U-ru091 for <dns-privacy@ietfa.amsl.com>; Mon, 19 Apr 2021 08:08:42 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BB4D3A34D3 for <dprive@ietf.org>; Mon, 19 Apr 2021 08:08:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=2593; q=dns/txt; s=VRSN; t=1618844922; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=KsLjNsWX9Udc2xyulJuoVDJWbGLAsGneR7kHyCgSRlg=; b=ioDq3fKq+yU3HZRbUJmMYzQJTaC2WNMoqzvJSha4220WnqF1s/Cj7h4l u+x7/JclXWLrWWxsVpWojM/BFABKdesG8Xoz7Ms4haSl1lx5/w/vCRU5w h/ZsE4pSXf+RNux0FA41disLuRP3WNv2bzQZP8c6f88goJg0l+z0MWiH+ bZNgl80f9P/wpyEesgbesZdbEoEM5T/k+oT6YkGA7WNch1fHdSenhbTQp CtEVEyriy/+Lur4U0/Dse0RI1LVuFYqpCi/mkWeG2RqX8/JbYE/XC0mqo Gn7DuvpOi749+ssByr5z43ytgP+tdr2pjgdT7caikB9ZND6hPuth3Ja2H w==;
IronPort-SDR: 8I41mTBy5C9uYmzco0VZK1XKB0hPhm+ZsZaaDaXpMA5daLqlHt0PVJ+lcCt+lBqO04c7oqaZv0 11DLwSL5sWlCMin6np7yHzNXsHQDABF8JmO+gHFQMi8Ui66dMT4VwkhNPH13VmQJLE0JHkF8eQ wpQo5d3gaDPr81lXowTIk9DwVJWknVHIsiHwMSy6+vXyK2l0tLHL2Eyu5wpScmnwZ4srNpHUAF 59ojfEtc2TN3aWuX5X3xSBeqQ3svj+4sy1qRMVFnCptdjT5Lv4hwrPNIqEp4Mf5DcJJWcfNtrD k6I=
IronPort-HdrOrdr: A9a23:tb3vbqu2wElyP8JMQtew/fmf7skD4dV00zAX/kB9WHVpW+afkN 2jm+le6AT9jywfVGpltdeLPqSBRn20z+8R3aA6O7C+UA76/Fa5NY0K1/qB/xTMEzDzn9Q86Y 5OaK57YeefMXFfreLXpDa1CMwhxt7vys+VrNzTxXtsUg1mApsIhztRMBqREUF9WWB9dPkEPa ebj/AnmxOQPVoaacihDmQIUqzpt7Tw+K7OUFojCwQ84AeDyRGl+NfBeSSw71M7XylUybkvtV LZlRf0j5/Pj9igxgTC23To45NapdvkxrJ4b/Cxtg==
X-IronPort-AV: E=Sophos;i="5.82,234,1613451600"; d="scan'208";a="6510952"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 19 Apr 2021 11:08:40 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.2242.008; Mon, 19 Apr 2021 11:08:40 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: A Few More Suggestions for the Requirements Draft
Thread-Index: Adc1JmDTl2PA57CeQxawHvYGbccYdA==
Date: Mon, 19 Apr 2021 15:08:40 +0000
Message-ID: <fc3621bb82f24753ba3a17d60df59879@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/dJUT8yZb0EgzMqJ_CYqHNpVgeUg>
Subject: [dns-privacy] A Few More Suggestions for the Requirements Draft
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 15:08:47 -0000
I have a few more suggestions for draft-ietf-dprive-phase2-requirements. In Section 5.1: After the current requirement #7, I'd like to suggest adding a requirement like this to make it clear that the authoritative name server determines if server authentication is required, or not: "The authoritative domain owner or their administrator MUST have the option to specify whether server authentication is required for all secure connections to the server." After the current requirement #9, I'd like to suggest a requirement like this to help make it clear that it's possible to the different name servers hosting a zone to have different secure connection requirements, and a recursor needs to be able to adapt appropriately: The recursor MUST have the option to vary its connection behavior on an authoritative name server to name server basis. This SHALL include whether a secure transport protocol MUST always be used (non-downgradable) or whether a secure transport protocol MAY be used on an opportunistic (not strict) basis in recognition that some servers for a domain might use a secure transport protocol and others might not. I'd like to propose a slight modification to number 10. An implementation may have an internal specification of preferences for its own purpose. For instance, a transport preferences cache. Access to that cache wouldn't require use of the DNS, so I think it makes sense to note that the requirement for DNS use is for access by others: OLD 10. The specification of secure transport preferences MUST be performed using the DNS and MUST NOT depend on non-DNS protocols. NEW: 10. The specification of secure transport preferences, when published for access by other parties, MUST be performed using the DNS and MUST NOT depend on non-DNS protocols. I think we need to add a normative reference to RFC 8446 in the current #11: OLD: For secure transports using TLS, TLS 1.3 (or later versions) MUST be supported and downgrades from TLS 1.3 to prior versions MUST not occur. NEW: For secure transports using TLS, TLS 1.3 ([RFC8446] or later versions) MUST be supported and downgrades from TLS 1.3 to prior versions MUST not occur. Do these seem reasonable? I'll close with a question: we've talked about server authentication, but not about client authentication. We should say something in the requirements draft about client authentication, but right now I'm not sure of what makes the most sense. OPTIONAL, REQUIRED, something else? Scott
- [dns-privacy] A Few More Suggestions for the Requ… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] A Few More Suggestions fo… Paul Hoffman
- Re: [dns-privacy] [Ext] A Few More Suggestions fo… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] A Few More Suggestions fo… Paul Hoffman
- Re: [dns-privacy] [Ext] A Few More Suggestions fo… Danny McPherson
- Re: [dns-privacy] [Ext] A Few More Suggestions fo… Brian Haberman
- Re: [dns-privacy] [Ext] A Few More Suggestions fo… Paul Hoffman
- Re: [dns-privacy] [Ext] A Few More Suggestions fo… Brian Haberman