IETF Logo Mail Archive

Re: [dns-privacy] Second Working Group Last Call for draft-ietf-dprive-bcp-op

Sara Dickinson <sara@sinodun.com> Wed, 06 November 2019 13:16 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3A8C120887 for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 05:16:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQxD1Htr4GNh for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 05:16:37 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FB4B120835 for <dns-privacy@ietf.org>; Wed, 6 Nov 2019 05:16:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=4N2aX9mqGOQxkslX1bDu4I8aol5gt2LHEfgLKo6dX6o=; b=ILlOel3bkKclp2lfavJBJUQxwu jF2/3g6t5yAYaL2MeG1ECttwnuUHiyTdSYBAR3wgEej+81e0EfwYKQeKIJWE6DwbAgRsbS/zrwaw+ IQC1XEOIOB7/L67EFKYMEEW2tnPagiS5UxkOR0LeD+yYN/lq3tJ/cBR8muN/gXNtSvHVlbQSwch3x sMBa2/R0p/Syy6UF8ZYPOg1kU6APyMFVrSBSXJ5K6FlPMI+sTJYubRPCoZ5E6u2SWax95e7NNtUGG KXUYC0b+UFAYsJEIjdlrip069GBYXSYbHcqUULG+wag9I0xoGv2Ak32zpr0onYMQYgX55tsyMWUv7 xWq0HZVw==;
Received: from [62.232.251.194] (port=17954 helo=[192.168.12.23]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1iSLAm-0004bj-2I; Wed, 06 Nov 2019 13:16:36 +0000
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <7489BA67-4037-444D-AB10-71A3EECB98D5@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B84B5601-59DA-4688-A607-E493CC6A7000"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 06 Nov 2019 13:16:29 +0000
In-Reply-To: <20191101103831.GA22563@sources.org>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dns-privacy@ietf.org
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <CADyWQ+GirqA_VKYTAjGpV+aFMQiio2AAqtMX_2SRg45Crpf_-A@mail.gmail.com> <20191101103831.GA22563@sources.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: 14
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/j7WHgR053D-hJSUYNjmys18Lu8E>
Subject: Re: [dns-privacy] Second Working Group Last Call for draft-ietf-dprive-bcp-op
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 13:16:41 -0000

> From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
> Subject: Re: [dns-privacy] Second Working Group Last Call for draft-ietf-dprive-bcp-op
> Date: 1 November 2019 at 10:38:31 GMT
> To: Tim Wicinski <tjw.ietf@gmail.com>
> Cc: dns-privacy@ietf.org
> 
> On Thu, Oct 31, 2019 at 11:24:45AM -0400,
> Tim Wicinski <tjw.ietf@gmail.com> wrote 
> a message of 113 lines which said:
> 
>> This starts a Second Working Group Last Call for draft-ietf-dprive-bcp-op
> 
> Background: I run a small (very small) public DoH and DoT resolver,
> and it has a DROP (a policy). If you want to read it, it is only in
> french: <https://doh.bortzmeyer.fr/policy>. I checked it against
> section 6 and appendix C.
> 
> Executive summary: the draft is fine and useful and, IMHO, should be
> published.

Hi Stephane,

Thanks for the review!

> 
> A few issues:
> 
> * the first paragraph of section 4 should be deleted since the draft
> does not use RFC2119 (and rightly so), except one lonely SHOULD in
> section 5.

The current usage is the result of a discussion on the very first version of the draft (draft-dickinson-dprive-bcp-op-00, June 2018) and since then (limited) usage of RFC2119 language has been present. There have been comments on both sides that the language should be stronger and weaker and this was the compromise outcome. The SHOULD does ripple through the document though as it defines all the Mitigations listed in the later sections as being recommended for minimal compliance. How much of an issue is this for you?

> 
> * "A DNS privacy service must be engineered for high availability."
> I'm not in favor of this sentence. 1) It seems to despise small
> resolvers managed by small organisations, while we need many diverse
> DoT and DoH resolvers, to avoid centralisation 2) Today, Firefox,
> unfortunately, does not allow to add more than one DoH resolver, which
> makes the DoH resolver a very critical resource. But I hope that in
> the future, we will be able to configure several resolvers, with an
> efficient fallback, making the issue of availability less important.

I can understand this reading of it but item 1 you list above was not at all the goal of this at all text. Perhaps this could be better phrased as 
“A DNS privacy service should strive to engineer encrypted services to the same availability level as any unencrypted services they provide.”?

> 
> * DROP is not a perfect acronym since the draft does not talk only
> about privacy but also about integrity ("result filtering", aka lying
> resolvers).

It seems is the best one offered yet - as mentioned previously bike-shedding on this is always an option… Vladimir suggested DNS Recursive Operator Policy but that seems a little too general to me given the limited scope of the document (Privacy services). Do you have a suggestion?

Also, one distinction is that the privacy related policy outlined in a DROP can be directly assessed against the privacy mitigations outlined in this document to determine a compliance level, whereas the document makes no statements about filtering policy requirements. The aim of including them in the DROP is purely for transparency.

> 
> * "exporting DNS traffic from the resolver using e.g. dnstap" May be a
> reference to section 6.1.1 about sharing could be a good idea? Today,
> many existing policies say things like "we don't store logs for more
> than N weeks" but are silent on export/sharing…

Or perhaps a reference to Section 5.2 is better as it lists the threats and mitigations in detail?

> 
> * "Aggressive Use of DNSSEC-Validated Cache [RFC8198] to reduce the
> number of queries to authoritative servers to increase privacy" RFC
> 8020 could be mentioned, too, for the same goal.

Sure.

> 
> * Appendix B is really good and useful. "The level of anonymization
> this [keeping a /24 for IPv4] produces is perhaps questionable" is
> certainly the understatement of the year :-)

:-)

Best regards

Sara.

v2.23.0 | Report a Bug | By Email