Re: [dns-privacy] Alexey Melnikov's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
Sara Dickinson <sara@sinodun.com> Wed, 04 March 2020 13:32 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85BB23A0EF1; Wed, 4 Mar 2020 05:32:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSGJ_BBWn24V; Wed, 4 Mar 2020 05:32:22 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E1253A0AA3; Wed, 4 Mar 2020 05:32:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=wUDF5I2NzhsRRrYDLKa4CmAOSaNBOeWCaP3FtS1cVJw=; b=Oz9u+71gkEh4M3T0aF9VTsvyXc X4xLLTeaj4jQk6o3DI3VP75qZWLe8CesPMMbQUtjcHWeKo5bz0KJINEEYyzgRxIZVNzj4cfueDSiX loUsttocvedbgQlHOzxrV7SeTr041ZGmBUDeH8K3v+8AKE7qhditX06jZAw/oVDqzZocuwVW9huSc cA80V1toW2vFbL5r1wPzDbRQagFq4PB155f/WhM5xBpUnJ23hSTgKdSFozBigPWHOd+fj6OS+g8c8 1o9Mw/2htxS/QgURfXeDGNV3u1BzPSDdTGC3bqt3YE/h7YpTW4E3QDSnX7q1CcRmIhvSMDpDC8KH+ pLWcBrYA==;
Received: from [2001:b98:204:102:fffa::2] (port=63226) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1j9U8G-0001Dt-Kj; Wed, 04 Mar 2020 13:32:20 +0000
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <0643CFB9-1AA8-4F75-AF83-9F5FDF0F3E0A@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DCC63038-820C-465F-8C2E-D3BDD6344827"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 04 Mar 2020 13:32:14 +0000
In-Reply-To: <158100793900.5172.2649631873195856414.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-bcp-op@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org, bemasc@google.com
To: Alexey Melnikov <aamelnikov@fastmail.fm>
References: <158100793900.5172.2649631873195856414.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/i8A5g19JBaF-8WryCBGXQGbJuQ0>
Subject: Re: [dns-privacy] Alexey Melnikov's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 13:32:26 -0000
> On 6 Feb 2020, at 16:52, Alexey Melnikov via Datatracker <noreply@ietf.org> wrote: > > Alexey Melnikov has entered the following ballot position for > draft-ietf-dprive-bcp-op-08: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I think this is a very useful document and I am looking forward to it getting > published. > > I support updated Ben’s DISCUSS. > > ********************************************************************** > * Note, that I am conducting an experiment when people aspiring to be* > * Area Directors get exposed to AD work ("AD shadowing experiment"). * > * As a part of this experiment they get to review documents on IESG * > * telechats according to IESG Discuss criteria document and their * > * comments get relayed pretty much verbatim to relevant editors/WGs. * > * As an AD I retain responsibility in defending their position when * > * I agree with it. * > * Recipients of these reviews are encouraged to reply to me directly * > * about perceived successes or failures of this experiment. * > ********************************************************************** > > The following comments were provided by Benjamin Schwartz <bemasc@google.com>: > > Benjamin would have balloted *DISCUSS* on this document. He wrote: > > This draft is close to ready, but it contains some elements that are not > appropriate for IETF publication or lack IETF consensus. > > ## Section 1 > > Typo: “For example the user has a clear expectation of which resolvers have > visibility of their query data however this...” -> Add a period before > “however”. > Barry suggested this and additional grammatical improvements which I will make. > > Inappropriate subject matter: > > It is an untested area that simply using a DNS > resolution service constitutes consent from the user for the operator > to process their query data. > > This is legal speculation, not appropriate for IETF. Strike this sentence. I think this is an important point to make and no-one has contested this at any point in the development of the draft (I suspect DPRIVE is a good audience for anyone who would know any different). RFC7626 already includes this text: “To our knowledge, there are no specific privacy laws for DNS data, in any country. Interpreting general privacy laws like [data-protection-directive] (European Union) in the context of DNS traffic data is not an easy task, and we do not know a court precedent here. See an interesting analysis in [sidn-entrada].” I’m more than happy to qualify the text in this document with a ’To our knowledge, '… > > Clarity: > > Privacy considerations specifically > from the perspective of an end user ... are out of scope. > > This seems confusing as written: surely it is the privacy of end users (and not > of resolver operators) that this draft seeks to protect. Please rephrase or > omit this disclaimer. I think this is trying to capture the point that there are additional general considerations for an end user that an operator cannot control. Suggest: “Privacy considerations specifically from the perspective of an end user (for example, choice of client software or resolver selection policies)..." > > ## Section 5.1 > > Version skew: dprive-rfc7626-bis no longer has a Section 2.4.2 or 2.5.3. Ack - Ben K’s DISCUSS captures the problems with Section renumbering... > > ## Section 5.1.2 > > Clarity: Redirection of traffic to rogue servers does not match the usual > definition of “surveillance”. I would suggest adding an explanation of how > this active attack is a privacy threat. Presumably you are referring to merely > intercepting the user’s DNS queries, as opposed to substituting modified DNS > responses in order to monitor post-DNS network activity, but the text is not > clear on this distinction. Is is potentially both - section 2.5.3 (Rogue servers) is now section 3.5.1.2 (Active Attacks on Resolver Configuration) in draft-ietf-dprive-rfc7626-bis-04 which describes the issues in detail. So I believe updating the bullet point to be * Active attacks on resolver configuration as described in [I-D.ietf-dprive-rfc7626-bis] Section 3.5.1.2 (or whatever that section ends up being numbered) should do it? > > ## Section 5.1.3.1 > > Current practices: I don’t think either EDNS(0) Keepalive or DNS Stateful > Operations is currently in use with DNS-over-TLS, so this recommendation seems > too strong for a BCP. For example, this could say “Management of TLS > connections as described in RFC 7766. EDNS(0) Keepalive and DNS Stateful > Operations may provide additional performance benefits.” The Stubby client implements Keepalive and several test servers also use it: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ <https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/> Admittedly none of the big anycast services use it. How about moving it to a ‘Additional option’? Moving DSO to a separate sentence as you describe seems correct though as I am not aware of any implementation of that. > > Scope: The optimizations here are performance optimizations, which seem out of > place in this document. I would suggest focusing the document on “Encrypted > DNS Service Privacy Recommendations”, and remove any recommendations related to > performance and reliability, which are already well-covered by standards-track > RFCs. > > ## Section 5.2.1 > > Content: I think there’s a missing mitigation here, which is employed virtually > universally among large DNS Privacy deployments: IP erasure. DNS operators > typically distinguish between PII-logs, which are retained at most briefly, and > non-PII logs, which are retained for a longer period. I believe this is a best > practice and worth documenting. I think it is currently there but a bit hidden in the distinction between transient and retained data and also : “ If data is retained it should be encrypted and either aggregated, pseudonymized, or anonymized whenever possible.” So bullet 1 could have the following sentence added: “Such transient data may be deemed to require inclusion of personal identifiers and should be handled with appropriate care.” and bullet two the following: “Data retained for any period of time should use data minimisation techniques to remove personal identifiers." > > ## Section 5.3.1 > > Document interaction: This section comes awfully close to updating or > deprecating ECS, which we do not have IETF consensus for. I think the BCP here > should restrict itself to disclosing the server’s ECS behavior and imposed > prefix length limit. Ben K also made a comment on this... RFC7871 (which is only Informational) admits in the abstract that “... it has some known operational and privacy shortcomings” and section 2 suggests it should be disabled by default in client software and clients should be able to opt-out. The first bullet point (honouring the SOURCE PREFIX-LENGTH) is already specified in RFC8310. This document also has only limited scope… I would say that this text has DPRIVE consensus for its application specifically to DNS privacy services. > > ## Section 6.1.1 > > Terminology: “PII” appears here for the first time, and is not defined. Alissa suggested replacing with the definition of personal data from RFC 6973, which seems better. Best regards Sara.
- [dns-privacy] Alexey Melnikov's No Objection on d… Alexey Melnikov via Datatracker
- Re: [dns-privacy] Alexey Melnikov's No Objection … Sara Dickinson
- Re: [dns-privacy] Alexey Melnikov's No Objection … Ben Schwartz
- Re: [dns-privacy] Alexey Melnikov's No Objection … Sara Dickinson
- Re: [dns-privacy] Alexey Melnikov's No Objection … Ben Schwartz
- Re: [dns-privacy] Alexey Melnikov's No Objection … Vittorio Bertola