Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dprive-phase2-requirements-02.txt
Paul Hoffman <paul.hoffman@icann.org> Sun, 15 November 2020 16:52 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A91A23A0977 for <dns-privacy@ietfa.amsl.com>; Sun, 15 Nov 2020 08:52:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ipFIXPmbQsbr for <dns-privacy@ietfa.amsl.com>; Sun, 15 Nov 2020 08:52:30 -0800 (PST)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 772C03A0975 for <dns-privacy@ietf.org>; Sun, 15 Nov 2020 08:52:30 -0800 (PST)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa2.lax.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 0AFGqT1F021502 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 15 Nov 2020 16:52:29 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.659.4; Sun, 15 Nov 2020 08:52:28 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0659.008; Sun, 15 Nov 2020 08:52:28 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] [Ext] I-D Action: draft-ietf-dprive-phase2-requirements-02.txt
Thread-Index: AQHWu1adAmV5cJFPCkmuxNpSW3RZ56nJ7tUA
Date: Sun, 15 Nov 2020 16:52:28 +0000
Message-ID: <28E0AE99-EF6D-417D-8062-9A11A54B6AF6@icann.org>
References: <160435765311.18774.16063151114758509438@ietfa.amsl.com> <20201104082924.GA6824@sources.org> <D6440136-D6DF-48EE-BD12-BBFCBA63D68F@icann.org> <7c068dc33dc78072162b2c4d90326b31fe4f51ef.camel@powerdns.com>
In-Reply-To: <7c068dc33dc78072162b2c4d90326b31fe4f51ef.camel@powerdns.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_E2A8D806-3805-4C7E-8B55-5090569083E9"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-11-15_08:2020-11-13, 2020-11-15 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jCu2rK5BxZ3HZbDmfDfFN_YrXG0>
Subject: Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dprive-phase2-requirements-02.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2020 16:52:32 -0000
Thanks for the response! I hope that there is more list discussion before the WG meeting this week. On Nov 15, 2020, at 5:52 AM, Peter van Dijk <peter.van.dijk@powerdns.com> wrote: > > On Wed, 2020-11-04 at 15:04 +0000, Paul Hoffman wrote: >> It would be useful if a resolver could tell in advance, and at a cost less than port-checking. There could be a new protocols developed to do that. I don't see this as a requirement, though, given the low cost of port-checking. > > The cost of port checking is not low. We disagree in the general case, because I'm assuming a transport cache that is filled before an actual query is sent. Transport caches would be useful for both opportunistic and authenticated encryption. We agree in the specific case of "determine the transport at the time the resolver's user is waiting for an answer". > Variant 1: try 853 and 53 in parallel. High code complexity and a high likelihood that the first query to a 'new' auth (where 'new' might be measured in minutes) will be plain text anyway. There is no code complexity if you are probing the fill a transport cache. There is definitely the large, classical complexity of asyncy-with-abort for determining when needed. > Variant 2: try 853 first. How long do we wait for a timeout? In DNS, 500ms is a long time. For cache-filling, a 500 or 1000 ms timeout seems reasonable. For immediate need, there is no way to sanely balance "additional privacy" against "addition latency" in a way that everyone (or even most people) would agree to. > This is not happy eyeballs where both transports (v4 and v6) tend to have identical security properties. Exactly right. > DNS Flag Day 2019 (no more EDNS fallbacks) was designed to reduce probing and guessing in the resolver process. I'd love for us to not add probing and guessing in other parts of that process. I would love for that as well, if we make the solution barely harder to implement than port-checking. I am skeptical that we as a group can make a simple solution because everything we as a group do ends up much more complicated than we expected when we started. This is why I think we should compare the result to port-checking. The interesting wrinkle here is that if the solution is DNS-based, it will very likely be faster than port-checking because in most cases the result will come back much faster than any timeout that someone would pick for port-checking. The answer will likely also have much more value than a port check. That gives us (at least) two axes to compare and argue about, so I think it is worth pursuing. Tony's draft has a lot of good comparison thinking in it already. --Paul Hoffman
- [dns-privacy] I-D Action: draft-ietf-dprive-phase… internet-drafts
- [dns-privacy] Requirements for authoritative serv… Paul Hoffman
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer
- Re: [dns-privacy] Requirements for authoritative … Stephane Bortzmeyer
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer
- Re: [dns-privacy] Requirements for authoritative … Brian Dickson
- Re: [dns-privacy] Requirements for authoritative … Brian Dickson
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Paul Hoffman
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Eric Rescorla
- Re: [dns-privacy] [Ext] Requirements for authorit… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Eric Rescorla
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Peter van Dijk
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Peter van Dijk