Re: [dns-privacy] I-D Action: draft-ietf-dprive-phase2-requirements-01.txt
"Wessels, Duane" <dwessels@verisign.com> Mon, 22 June 2020 19:36 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3883A110E for <dns-privacy@ietfa.amsl.com>; Mon, 22 Jun 2020 12:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZfrLA1hWzYZ for <dns-privacy@ietfa.amsl.com>; Mon, 22 Jun 2020 12:36:08 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D24463A110C for <dns-privacy@ietf.org>; Mon, 22 Jun 2020 12:36:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=13853; q=dns/txt; s=VRSN; t=1592854569; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=0/m8JOT5LjrZfH58LvlfOegXmA7a/mVSUf6Bkjoqoe0=; b=Qe2kB27ifORHOja41gNhDb2aXZcKNTFCOmtZb50rb30HxUtp8ylYQshI FyUBux3rbgEsBUPJGN0VgSmgKKYT1xEMAyjqL0UosKabweZ/i4Kp6aMoC ACRBPEj2DgotQXO4/fiTeqqoBt25d29DhlqLuXZfP0SJhUSfMnSkmQ1GO fmU1DgzCyDhWlrvfSgaBmJv7FqPTCWlgnSn1WAsrCRGR8ydE4g0TimN1l S6z+pMd3HrWKEjZmeMOOmO24hiZU8nzPayhrPmb78njCRkjTaVwoFZC9O YSZttesmysNhUPr19MLe+jLlN4gjyB51izReJpEBYXLHgGCOi1vlSv4Dm Q==;
IronPort-SDR: G8WhCoxW6g8y3yxnXIf1gDB+ydHkCW5GKCTvzXaHiVPqVhOg2bSs46vuA1TG3Rdn6RJPJTNtYX YOTwVY5c+os5G4INO+7BrGncu9m1zb7aNSdWGtyCu7IE1dpmRqL/30/F1WDc1AfyeQKsMcHWKL nb1i+3ObUisgAeQzBPQzNQ9kWCR7hXnwXARE9KlLrneySkjqLXwl01f0ZL2SUmHL6oYNeTPmia OPNribVnnCN7DDV3jM7oKx5nqWASYspFDJ5SxMXMyeQ03J4ae5KrQ9jSj96bCZ6s89lZ9zvW+T CQ4=
X-IronPort-AV: E=Sophos; i="5.75,268,1589256000"; d="p7s'?scan'208"; a="1904636"
IronPort-PHdr: 9a23:iFAmlhYf//cDy5IagJX0pt7/LSx+4OfEezUN459isYplN5qZpsy5ZB7h7PlgxGXEQZ/co6odzbaP7ua5CTZLuMza+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/IAi2oAnLq8UbgpVuJqksxhfXrHZDZvhby35vKV+PhRj3+92+/IRk8yReuvIh89BPXKDndKkmTrJWESorPXkt6MLkqRfMQw2P5mABUmoNiRpHHxLF7BDhUZjvtCbxq/dw1zObPc3ySrA0RCii4qJ2QxLmlCsLKzg0+3zMh8dukKxUvg6upx1nw47Vfo6VMuZ+frjAdt8eXGZNQ9pdWzBEDo66coABDfcOPfxAoof9uVUAsAe+CwevCuPhyDBGgX720rE13Ok6HgHKwAkgEsgOsHjIrtj4MroZX+CvzKnPyDXOd/1a1jfj54jTaRAuv/WMXalofcHMx0cvChnKjlOOpoDrIjiY0fkCsmaF4Op7TuKglWonqxpqrzix2MgskIjJhpkUylDL8yV12po6Jdq9SENiZ9OvDZRfuT2AOYRsXsMiX39nuDw8yrAepZO3YioHxZQoyhPdavGKfZSE7xDtWuqPITp0mXJrdr2hixiy8UWs1PDxW8m73VtXsCdIk8fAuH8R2hDP5caLV/1w9Vqv1zaI0gDc8OBEIUYsmKXFJJ8u2LswloIXsUvdBCP5hEL2jKqQe045+eao8/zqbqj6qpOGKoN5iA/zPr4zlsG/D+k0KAcDUmyD9eihyLHv51D1TbdWgvEsj6XUv5PXKd4GqqO6BQJez5wt5AylDzi81dQVhXwHLFVYdx2Zl4XpIFTOIOzgDfe4nlSsjC9nx/DYMb3lBZXANmXOnqv5c7pg60FS0AU9wtFD655KEL0BPu78WkjrtNzAFBM2KRG7z/z5CNVnzYMeX3iDDbOeMKPXqVOI5+QvLPeQZIINpTrxN+Ip6+PsgHI3g1MRYKmk0JUNZH23GvlqO0CZbmDtgtcFH2cKpA0+TOnyhVKfXz9ceW2yX7ki6TE/E4KrFpnDSZ63gLyAxye7H5JWZmZcBl+QFnfocp2IW+0QZyKKPs9hjjsEWKC6RIA/0xGusgj6xqFhLurQ/C0Xq47j1Nxv6OLIjhE+7zp0D8CF2WGXU250hn8IRyMx3K1nvEN9zEyD3bFgg/xCFNxT+elGXRs6NJPHzux1FczyWgzbcteOUlamTYbuPTZkZN83xdhGRFhwAdijiBzOxWL+CbITkbujIrgy/7741nLqYcB5nSXozq4k2hMZT9BUOGm9wuZT6gHVCsSBx0mGmr2xeKAH9DDA7maYzGWI+kpfVVgjAu3+QXkDax6O/pzC7UTYQurrUOx/Pw==
X-IPAS-Result: A2F4AgDpBvFe/zGZrQpmHgEBCxIMgX8LgXuBHiuBCAqEGpENg3OWDxSBaAQHAQEBAQEBAQEBAwQBGxQEAQEChEUCgi0lNAkOAgMBAQsBAQEFAQEBAQEGAwEBAQKGRAyCOykBcH4BAQEBAQEBAQEBAQEBAQEBAQEBARUCgRQ2AQQBIyYwBQsCAQhCAgICMCUCBA4TgxgBglwRtg6BK4EyhVGFIRCBOIFTiyqBQj6BESccgk0+g34lAhc/glYzgi0EmQWaTIECAweCWoQoglSSMB2ee6wkg08CBAIEBQIVgVOCEHAVOyoBgj4JNRIXAg2OJQUXFG4BB4JEilZ0NwIGAQcBAQMJjkICAiuBBoERAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 22 Jun 2020 15:36:05 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%6]) with mapi id 15.01.1913.005; Mon, 22 Jun 2020 15:36:05 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Benno Overeinder <benno@NLnetLabs.nl>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [EXTERNAL] [dns-privacy] I-D Action: draft-ietf-dprive-phase2-requirements-01.txt
Thread-Index: AQHWSMxesuhnMaF3nk+lUoP94seCLA==
Date: Mon, 22 Jun 2020 19:36:05 +0000
Message-ID: <B12982BA-3D00-46BD-AA2E-80C8CE45DDD6@verisign.com>
References: <159234366460.2400.12637173675987685004@ietfa.amsl.com> <ea861403-19c8-d7a8-e6bd-e3485c37164e@NLnetLabs.nl>
In-Reply-To: <ea861403-19c8-d7a8-e6bd-e3485c37164e@NLnetLabs.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.14)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_F8942E27-5BD5-485F-8D71-92A82D817C61"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/eMtjqBBu6m7YhKEHkW5ZKfvZohg>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-phase2-requirements-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2020 19:36:10 -0000
Hi Benno, Alex, and Jason. I have a few comments and questions about this version. Hopefully these are helpful. DW > 5. Requirements > > The requirements of different interested stakeholders are outlined > below. > Perhaps this is obvious others, but I would like to see a better explanation of exactly what kind of requirements these are meant to be. Are they implementation or protocol requirements (versus operational requirements)? Or requirements of some other type? Also, I'm struggling a little bit with "interested stakeholders" above. I don't think these are requirements *on* stakeholders. Maybe it would be better to say something like "[protocol] requirements of different elements are outlined below."? > 5.1. Mandatory Requirements > > 1. Each implementing party should be able to independently take > incremental steps to meet requirements without the need for > close coordination (e.g. loosely coupled) If that is a requirement then MUST/must instead of "should"? > 2. Use a secure transport protocol between a recursive resolver and > authoritative servers > > 3. Use a secure transport protocol between a recursive resolver and > TLD servers > > 4. Use a secure transport protocol between a recursive resolver and > the root servers These were worded a differently in an earlier version. The following text is from draft-lmo-dprive-phase2-requirements-01: > 2. Implement DoT between a recursive resolver and single level domain > authoritative servers (high risk, high priority) > > 3. Implement DNS privacy protections between a recursive resolver and > TLD servers (low risk, low priority) > > 4. Implement DNS privacy protections between a recursive resolver and > the root servers (low risk, low priority) I get why DoT was changed in #2, but why was "DNS privacy protections" changed to "a secure transport protocol"? Why were the risk and priority classifications removed? Also, I'm not sure how these are requirements as written (e.g., they lack RFC 2119 key words). And, on whom or what are these requirements placed upon? > 5. The secure transport MUST only be established when referential > integrity can be verified, MUST NOT have circular dependencies, > and MUST be easily analyzed for diagnostic purposes. > I think the "MUST NOT have circular dependencies" requirement should be further explored (i.e., more text). Since item 9 below says that specification of preferences must occur using DNS only, is that itself a circular dependency? Also, could more be said about the "easily analyzed" part? "easily" might be subjective, unless there is to be some way to quantify this requirement? > 6. Use a secure transport protocol or other DNS privacy protections > in a manner that enables operators to perform appropriate > performance and security monitoring, conduct relevant research, > etc. Again, not sure how this is a requirement or for whom it is a requirement. Does it mean something like "use of secure transport protocols MUST NOT prevent operators [of xxx] from performing appropriate performance and security monitoring, conducting research, etc."? > 7. The authoritative domain owner or their administrator MUST have > the option to specify their secure transport preferences (e.g. > what specific protocols are supported). This SHALL include a > method to publish a list of secure transport protocols (e.g. > DoH, DoT and other future protocols not yet developed). In > addition this SHALL include whether a secure transport protocol > MUST always be used (non-downgradable) or whether a secure > transport protocol MAY be used on an opportunistic (not strict) > basis. > > 8. The authoritative domain owner or their administrator MUST have > the option to vary their preferences on an authoritative > nameserver to nameserver basis, due to the fact that > administration of a particular DNS zone may be delegated to > multiple parties (such as several CDNs), each of which may have > different technical capabilities. Including that some servers for a domain may use secure transport and others may not? It is common for a given name server to be authoritative for multiple zones. Should this document state that a name server can provide secure transport for one zone but not another? > 9. The specification of secure transport preferences MUST be > performed using the DNS and MUST NOT depend on non-DNS > protocols. > > 10. For the secure transport, TLS 1.3 (or later versions) MUST be > supported and downgrades from TLS 1.3 to prior versions MUST not > occur. > It seems like #10 should be qualified with something like "For TLS-based transports..." since there might be some future secure transport that is not based on TLS? > 5.2. Optional Requirements > Optional Requirements is perhaps an oxymoron? Maybe "Recommendations" of some kind? > 1. QNAME minimisation SHOULD be implemented in all steps of > recursion > > 2. DNSSEC validation SHOULD be performed > > 3. If an authoritative domain owner or their administrator indicates > that (1) multiple secure transport protocols are available or > that (2) a secure transport and insecure transport are available, > then per the recommendations in [RFC8305] (aka Happy Eyeballs) a > recursive server SHOULD initiate concurrent connections to > available protocols. Consistent with Section 2 of [RFC8305] this > would be: (1) Initiation of asynchronous DNS queries to determine > what transport protocols are supported, (2) Sorting of resolved > destination transport protocols, (3) Initiation of asynchronous > connection attempts, and (4) Establishment of one connection, > which cancels all other attempts. > To me this item about happy eyeballs feels out of place in this document, and I worry that we are not fully aware of the amplification effects that can occur from multiple layers of happy eyeballs. For example, user clicks on www.example.com URL. Happy eyeballs browser looks up both A and AAAA records (maybe more with new stuff like HTTPS & SVCB). Happy eyeballs recursive sends queries to both IPv4 and IPv6 addresses of name server. That’s 2x2=4 queries for the single click. Now add secure transport happy eyeballs and it becomes 2x2xN for however many secure transports are given. IMO this needs further study and discussion before recommending it.
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Benno Overeinder
- [dns-privacy] I-D Action: draft-ietf-dprive-phase… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Benno Overeinder
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Wessels, Duane