Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-core-dns-over-coap
Martine Sophie Lenders <m.lenders@fu-berlin.de> Wed, 28 June 2023 14:24 UTC
Return-Path: <mlenders@zedat.fu-berlin.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB1E2C14CE25; Wed, 28 Jun 2023 07:24:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QW_XEi2bNz70; Wed, 28 Jun 2023 07:24:33 -0700 (PDT)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C372C14CF13; Wed, 28 Jun 2023 07:24:32 -0700 (PDT)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.95) with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (envelope-from <mlenders@zedat.fu-berlin.de>) id 1qEW5u-003hG4-Fl; Wed, 28 Jun 2023 16:24:30 +0200
Received: from 053dbcaa.dynamic.tele-ag.de ([5.61.188.170] helo=[192.168.101.6]) by inpost2.zedat.fu-berlin.de (Exim 4.95) with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (envelope-from <m.lenders@fu-berlin.de>) id 1qEW5u-002zJe-8Q; Wed, 28 Jun 2023 16:24:30 +0200
Message-ID: <53c93af2-8b37-ad11-f12d-428f47a515ac@fu-berlin.de>
Date: Wed, 28 Jun 2023 16:24:29 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
Content-Language: en-US
To: Ben Schwartz <bemasc@meta.com>, "core@ietf.org" <core@ietf.org>
Cc: "draft-ietf-core-dns-over-coap@ietf.org" <draft-ietf-core-dns-over-coap@ietf.org>, dnsop <dnsop@ietf.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
References: <2490fd32-437d-8182-ec2e-9e5058d9bf5a@fu-berlin.de> <BN8PR15MB3281BDC22008FF7D94076A1CB323A@BN8PR15MB3281.namprd15.prod.outlook.com>
From: Martine Sophie Lenders <m.lenders@fu-berlin.de>
In-Reply-To: <BN8PR15MB3281BDC22008FF7D94076A1CB323A@BN8PR15MB3281.namprd15.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------XhMv3GiebKb1DjKs25NEeboQ"
X-Original-Sender: m.lenders@fu-berlin.de
X-Originating-IP: 5.61.188.170
X-ZEDAT-Hint: PAO
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jQuf9Frt_VQUIkkEBVJiPIWvRq4>
Subject: Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-core-dns-over-coap
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2023 14:24:37 -0000
Hi Ben, On 23.06.23 22:23, Ben Schwartz wrote: > I think it would be helpful if this document were more explicit about > its motivation. In my view, the underlying motivation for this draft is > to enable seamless management of DNS service within a CoAP-centered > deployment, by sharing key distribution, access controls, monitoring, > etc. The draft claims various performance benefits from DoC, but these > are unproven and seem unlikely to be significant. We have a paper on the performance benefits just accepted for CoNEXT, which we will cite once it is published. An early pre-print (the final paper underwent some major revisions though) is available on arXiv [5]. > ... > > For our document, I think we > need at least confirmation or decline that the "coap" ALPN could be > used > for DTLS, SVCB for OSCORE/EDHOC, I think is out of scope at the moment > anyways. > > I'm not sure I follow, but using the same ALPN for multiple transports > renders that ALPN permanently incompatible with SVCB. I recommend > keeping "coap" for TLS/TCP only, and defining a new ALPN ID for CoAP/DTLS. That makes things clearer for us. In the next version we will word the draft in accordance to that: only the "coap" is ALPN for TLS/TCP is available at the moment. For DTLS and OSCORE alternative approaches need to be created (see [1] and [2] in my original mail) which are, however, out of scope of the DoC document, in my opinion. > Furthermore, there is still an open question, if DoC can or should be > translated at a CoAP-HTTP proxy to DoH. Namely, how the FETCH that DoC > uses should be translated into the POST/GET of DoH [3]. > > I don't think there is any need to specify this. A DoC server could act > as a forwarder to an upstream using DoH, DoQ, etc. in accordance with > the relevant standards, without impacting its compliance as a DoC server. > > However, this does resemble a concern I've previously raised: the draft > does not explain why it is necessary to define a new DoC mechanism, > rather than simply forwarding RFC 8484 DoH through a CoAP-HTTP proxy. This question was raised in reaction to your concern, actually. Note, that if a proxy is used, the target resource needs to be mentioned in the CoAP header, increasing the overall packet size, so a proxy should be kept optional. Forwarding DoH through a C-H-proxy would make the proxy mandatory. In addition, DoC is greatly benefiting from its usage of the CoAP-only FETCH method (see [5]). The question is more a CoRE question, I think. RFC 8132 does not really specify, how FETCH should be translated via a C-H-proxy, so I assume it to be use-case dependent. Should the draft specify this for the DoC use case, and if yes which method should be used, or should the DoC server just act as a recursive resolver, using DoH towards the DNS infrastructure? Best Martine [5] https://arxiv.org/abs/2207.07486
- [dns-privacy] Next steps: draft-ietf-core-dns-ove… Martine Sophie Lenders
- Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-… Ben Schwartz
- Re: [dns-privacy] [core] Next steps: draft-ietf-c… mohamed.boucadair
- Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-… Martine Sophie Lenders
- Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-… Ben Schwartz
- Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-… Christian Amsüss
- Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-… Ben Schwartz
- Re: [dns-privacy] [DNSOP] Next steps: draft-ietf-… Esko Dijk
- Re: [dns-privacy] [core] [DNSOP] Next steps: draf… Carsten Bormann