[dns-privacy] -02 of draft-ietf-dprive-opportunistic-adotq

Paul Hoffman <paul.hoffman@icann.org> Thu, 01 April 2021 17:26 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C13BA3A1C64 for <dns-privacy@ietfa.amsl.com>; Thu, 1 Apr 2021 10:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id FBUlXnXkxK_V for <dns-privacy@ietfa.amsl.com>; Thu, 1 Apr 2021 10:26:38 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1173A1C62 for <dprive@ietf.org>; Thu, 1 Apr 2021 10:25:27 -0700 (PDT)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org []) by ppa4.dc.icann.org ( with ESMTPS id 131HPOlc011482 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dprive@ietf.org>; Thu, 1 Apr 2021 17:25:25 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org ( by MBX112-W2-CO-2.pexch112.icann.org ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Thu, 1 Apr 2021 10:25:23 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([]) by MBX112-W2-CO-1.pexch112.icann.org ([]) with mapi id 15.02.0721.013; Thu, 1 Apr 2021 10:25:23 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: -02 of draft-ietf-dprive-opportunistic-adotq
Thread-Index: AQHXJxv/JfaOvcEWikeem9AUP9Hfng==
Date: Thu, 1 Apr 2021 17:25:23 +0000
Message-ID: <D282F006-0CE8-457B-99AD-84E5A5DCBD1F@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_63655492-3318-4F90-8E47-6BCDECF08EB1"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-04-01_09:2021-04-01, 2021-04-01 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/fkso0hWt0HEDr3mL_QLXygRMwao>
Subject: [dns-privacy] -02 of draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 17:26:41 -0000

Greetings again. We have produced draft-ietf-dprive-opportunistic-adotq-02 based on extensive WG feedback before, during, and after the WG meeting. A couple of big changes include:

- All that fully-authenticated description we added to -01 before the WG meeting because we didn't know that draft-rescorla-dprive-adox-latest was coming? We removed that from our draft and point to draft-rescorla-dprive-adox-latest instead.

- The WG has not agreed on any reason to do authentication in opportunistic resolver-to-authoritative DNS, so we removed any mention of it, and now just talk about unauthenticated encryption.

- We changed the signaling mechanism to SVCB to align with draft-rescorla-dprive-adox-latest.

- Even though -01 stated explicitly that the protocol was optional for all authoritative servers, it seems that people want more. We now say more and point to the new RootOps document.

- Given that the WG is getting close to finishing DoQ, we put DoQ on the same footing as DoT in the document. We added DoH because it comes for free with using SVCB as a signal.

Given that the document is no longer about full opportunistic encryption (just about unauthenticated encryption), and that it not just about DoT and DoQ, we propose that we change the file name to draft-ietf-dprive-unauth-to-authoritative after the WG has had some time to comment on this -02.

--Peter and Paul