Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29

Paul Hoffman <paul.hoffman@icann.org> Tue, 29 October 2019 14:19 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6C1A12001E for <dns-privacy@ietfa.amsl.com>; Tue, 29 Oct 2019 07:19:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0TtXBNZGntD for <dns-privacy@ietfa.amsl.com>; Tue, 29 Oct 2019 07:19:46 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B202120018 for <dns-privacy@ietf.org>; Tue, 29 Oct 2019 07:19:46 -0700 (PDT)
Received: from PFE112-CA-1.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) by ppa4.dc.icann.org (8.16.0.27/8.16.0.27) with ESMTPS id x9TEJi3m024282 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Tue, 29 Oct 2019 14:19:45 GMT
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 29 Oct 2019 07:19:42 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1497.000; Tue, 29 Oct 2019 07:19:42 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [Ext] Re: [dns-privacy] DPRIVE Interim: 10/29
Thread-Index: AQHVizfGtCIjVwZVrUCsA2UhYRvWvadyJrgA
Date: Tue, 29 Oct 2019 14:19:42 +0000
Message-ID: <1d9213c1-0ee1-fce0-1ebb-f8272284c285@icann.org>
References: <943e3973-f6a7-9f6e-a66a-33aff835bd5e@innovationslab.net> <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net>
In-Reply-To: <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.2.0
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: text/plain; charset="utf-8"
Content-ID: <9D542D981B1E2F42B4A3FF463C8C237C@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-29_04:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/e9_i_oKrp8PJ-4vWTUiDnEGxbxQ>
Subject: Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 14:19:48 -0000

Here are a few responses to the initial draft. I will try to be on the call unless we lose power again.

There are many parts of the "core requirements" that seem out of place.

- Resolvers have never had to understand the different between the root zone and TLDs and SLDs and "other", so introducing that here might cause bikeshedding and lack of adoption. A simpler core requirement would be that DoT is required between resolvers and any interested authoritative server.

- QNAME minimization is orthogonal to adding cryptographic privacy. If you have a cryptographic tunnel, QNAME minimization adds overhead and the risk of additional round trips. On the other hand, some resolvers are perfectly happy using QNAME minimization all the time, so they shouldn't have to know whether to change settings if DoT is in use.

- The aggressive caching requirement mixes up aggressive caching and normal caching in the all-caps bit. Aggressive caching will reduce the number of TLS connections you need to set up, so it is a positive, but it is unclear how requiring it in order to use ADoT could be enforced.

- DNSSEC validation is orthogonal to adding cryptographic privacy.

--Paul Hoffman