IETF Logo Mail Archive

[dns-privacy] wglc feedback draft-ietf-dprive-bcp-op

Patrick McManus <mcmanus@ducksong.com> Wed, 16 October 2019 00:59 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3145120047 for <dns-privacy@ietfa.amsl.com>; Tue, 15 Oct 2019 17:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=MYEd4Jqb; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=wo5PRI01
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NTC0wfxbYOh for <dns-privacy@ietfa.amsl.com>; Tue, 15 Oct 2019 17:59:37 -0700 (PDT)
Received: from outbound2r.ore.mailhop.org (outbound2r.ore.mailhop.org [54.200.129.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6925F120830 for <dns-privacy@ietf.org>; Tue, 15 Oct 2019 17:59:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571187577; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=P1CDNnOZyd1FuC2Myyb2LeJe91QboZq9fo9IbqyNQldMKtg2WTrjRtcP98haB6Azu0ls5L3ILWotO UrXWJdfr/CsEBfDwb5Jjr3JmEAtvlJcnjNc2p9vL6rPr+nAjTDRrAQTEbkKZzLlFiixbuFXwtOGAa7 fQodqL8Dae8mtN0SyamZdf9P4/ltZhEufjcwLg7c9eydWGLOgi04JzYiEmFBhfVjhOEyiLG5lv+yfB JwNpAiz2Bkfwx1ecgz8GWCt8wfR+j8YVWgU8mWWpJXyb2gTP9LyJYJX1Cug9flK3CzrXnO9tROppU7 lbe6Hzvzy2DTm1GJb7TTtSo4xOcfOWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:to:subject:message-id:date:from:mime-version:dkim-signature: dkim-signature:from; bh=dDMnzjFGv3bPGOsBNM2AdK8H8vL90bQXxSK1wm3oLDI=; b=XBMEbXV7S/7wet1gA6RamuFkWRoNk1CRPHaUXRO0JO5GWyWhXqt7YzicWC4buFlZCz5xVdrxVJcJs xowDj1iDVkoCWnsgtvur8pW+RQb3o8V6u87erCOmagGLCffdJQyv5BC0/cfwZaKk+/jRCqLa9VkLvn T1PfCWSBMhsMRLR4b14JH+VtMUflT8/kHLL8Q/n03RatgAXS0OnlP1zmbnVcWMAE3DJacEy9MPFmOX 0MDoTOtc/7tdr2AccgzhPrJY7yrI9SeXGNbUO52lkA5pTQ39kNUPC6WWpfEk4yCXaIxDGqmRLlWY9H uHk/WUHswX4i+zzIAst24/1Sc4u2TWw==
ARC-Authentication-Results: i=1; outbound4.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.167.177; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:to:subject:message-id:date:from:mime-version:from; bh=dDMnzjFGv3bPGOsBNM2AdK8H8vL90bQXxSK1wm3oLDI=; b=MYEd4JqbbEsJIJBLohnI7Sl9t6Y7sYhMyTcWnkArgcg6KOB7MD2h/sJgF3OtjIkAkHcF2skOIrBGm gQYwmGIyB5l5TEwGpibH4IQiYj6FG4MPHLb8GZ671Y9KhoEn82L9BQoVp5zgOsEEl+XE5jdON1Txz0 GfxI4tzh1BNFXH0g=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:to:subject:message-id:date:from:mime-version:from; bh=dDMnzjFGv3bPGOsBNM2AdK8H8vL90bQXxSK1wm3oLDI=; b=wo5PRI01lSs2F/dS5czW2oFlh6dMb7UM6PqiG2Td/EsRfsZirR7ivBpkXRG/CzzRKTSv7AuOGRZgp bjRC/kJW7MYmdzUzmJDKII675i+qQMnrmS5YI/Sop/h7sJ3j0BARv54jOeoAHyw5HIYArT7S2fr9Vf oIZT7uIdVJjxAiM9ognjx/jxPnzOJ5ZfTnsyWCAAihM3oh1bPDQz/d34W3oDbEiKkZkJ45GbebRZFW I+RTP/icB4aXxbjNVAVzb+TnllvBOU83wHeU7blbWavq8CQQTgeLNa4DD3Fgsz3cMWVJQQ9OoD0+q8 I/uJGK3DnsZ+jR+78HWgCpYJFM1tPUw==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 38be3da5-efb0-11e9-85ed-13b9aae3a1d2
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.167.177
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-oi1-f177.google.com (unknown [209.85.167.177]) by outbound4.ore.mailhop.org (Halon) with ESMTPSA id 38be3da5-efb0-11e9-85ed-13b9aae3a1d2; Wed, 16 Oct 2019 00:59:36 +0000 (UTC)
Received: by mail-oi1-f177.google.com with SMTP id k9so18565929oib.7 for <dns-privacy@ietf.org>; Tue, 15 Oct 2019 17:59:35 -0700 (PDT)
X-Gm-Message-State: APjAAAXSvVGdT2zEN0nVfdamasDVj0PVjXaRItkRi9+gdMxXxpVuXfEd 2JWr9q0rdHaBZutcat+gZ93j9quJoTmCnWbzwKI=
X-Google-Smtp-Source: APXvYqy1H6MKFIEyVsOi+Qrnuh3s2GUZS5L7pMenj+T+ioP7kW1VEpV8XOSlZZ0CkR8VRWJ2fK/v0JuVzEaUa8+HIHY=
X-Received: by 2002:a54:480a:: with SMTP id j10mr1103544oij.138.1571187575361; Tue, 15 Oct 2019 17:59:35 -0700 (PDT)
MIME-Version: 1.0
From: Patrick McManus <mcmanus@ducksong.com>
Date: Tue, 15 Oct 2019 17:59:24 -0700
X-Gmail-Original-Message-ID: <CAOdDvNq+d2nT2=ix73-Pq4DDG1gpGS7nPSEGrnORCb8xh1b3bw@mail.gmail.com>
Message-ID: <CAOdDvNq+d2nT2=ix73-Pq4DDG1gpGS7nPSEGrnORCb8xh1b3bw@mail.gmail.com>
To: DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e188b0594fc9d10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hwOr6lOCc1xUIFjjnLANXTmQyUU>
Subject: [dns-privacy] wglc feedback draft-ietf-dprive-bcp-op
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 00:59:40 -0000

Hi All,

Thanks for doing this work! (draft-ietf-dprive-bcp-op)

I have a few pretty small comments.

1] There is a reference to "run a .onion [RFC7686] service endpoint".

1a] The reference to RFC 7686 is not about a service endpoint - it is about
the name .onion and how clients encountering them use them. Its not going
to help with what this bcp suggests in terms of a service endpoint.

1b] As this is a BCP, I question whether this is really advice driven by
BCP. How often is this done, and when it is done how much traffic is driven
through it so that we really understand the implications of it? This feels
more like an idea than a BCP backed up by wide experience... and there is
reason to think it might fall down at scale if really adopted as a best
practice.

2] "Clients should not be required to use TLS session resumption [RFC5077]
with TLS 1.2" can be made a bit better.

2a] how does one require a client to use a resumption method (which is what
the text warns about) in any event? Maybe we should say the server should
not offer them if it does not want linkability?

2b] the explicit reference to session tickets with 1.2 leaves out a bunch
of equivalent mechanisms such as ID based resumption and 1.3 based PSKs
that create a similar issue. DoH used language like "some form of session
resumption mechanism, such as section 2.2 of RFC8446" to try and capture it
all. perhaps that's helpful here too.

3] "Automate the generation and publication of certificates" could be
changed to say "Automate the generation, publication, and renewal of
certificates" to explicitly capture the riskiest part. It should also, IMO,
include an explicit reference to ACME (as at least an example) as we've got
a lot of experience now that ACME is a good way to actively manage
certificates through automation.

4] I am also concerned that it is unreasonable to suggest TLSA in a BCP
document. What are the examples of existing DNS Privacy Services doing so
and what are the examples of the matching clients using it? At what scale?
Do we have comparable evidence about robust management of that vs the more
traditional TLS PKI and ACME and tools built for that? any experience of
tlsa with doh at scale before mentioning it as a BCP?

hth. thanks for the consideration.

-Patrick

v2.23.0 | Report a Bug | By Email