IETF Logo Mail Archive

Re: [dns-privacy] [Ext] AD review of draft-ietf-dprive-unilateral-probing-09

Christian Huitema <huitema@huitema.net> Sat, 22 July 2023 22:27 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81BA0C15198C for <dns-privacy@ietfa.amsl.com>; Sat, 22 Jul 2023 15:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmUJJREH1LlH for <dns-privacy@ietfa.amsl.com>; Sat, 22 Jul 2023 15:27:46 -0700 (PDT)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6619FC15153F for <dns-privacy@ietf.org>; Sat, 22 Jul 2023 15:27:46 -0700 (PDT)
Received: from xse407.mail2web.com ([66.113.197.153] helo=xse.mail2web.com) by mx192.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1qNL4g-000OXg-KB for dns-privacy@ietf.org; Sun, 23 Jul 2023 00:27:44 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4R7gzG73DKzBSq for <dns-privacy@ietf.org>; Sat, 22 Jul 2023 15:27:38 -0700 (PDT)
Received: from [10.5.2.12] (helo=xmail02.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1qNL4c-00010p-RG for dns-privacy@ietf.org; Sat, 22 Jul 2023 15:27:38 -0700
Received: (qmail 15361 invoked from network); 22 Jul 2023 22:27:38 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.43.117]) (envelope-sender <huitema@huitema.net>) by xmail02.myhosting.com (qmail-ldap-1.03) with ESMTPA for <paul.hoffman@icann.org>; 22 Jul 2023 22:27:37 -0000
Message-ID: <faf9ea55-e46b-d80a-bcb1-675898acbb15@huitema.net>
Date: Sat, 22 Jul 2023 15:27:35 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Content-Language: en-US
To: Paul Hoffman <paul.hoffman@icann.org>, "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
References: <C0F3EA5F-96EF-4777-94E3-3B3913134483@cisco.com> <BCD1E369-59E3-4A20-960A-A7052DEA3DC7@icann.org>
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <BCD1E369-59E3-4A20-960A-A7052DEA3DC7@icann.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.197.153
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9fVukamQt5StiokhsBdniaPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zh2yKlFwkOJL4c32G0KduLVjVx0XVkNnHJMw/amoreObgc uOxA/xspHLdCR0bvGI3KLMyCg2dNZJAK3gbNiIydSxIRXVMlFuiz/acFNeeXtxN2fFxZWB9eYgpR BRu3UlDHMLIJYRi1cXH9Dbm+IxLVawcnSgqVpmeUaJoFBZLVUXGFd932lfz+R/06O3Iy4akkoDli Amx6TWEzN+1Z+UMakVWClPVvbW5lVyQanRxw5hTHswbbB/ha+ZWrSAi8SkwqWAikMcSxTAWn8RCv ieGEqjG/gXZAaRh1X6LVetRf2ZYIiHqfCgG4wrA3w4/kQTYKxDHA9JN9J4k4XZq11JQkMemT4rxn nByU11Ftkqf3f/PF3GUV+KdBBqrnCX8j0Gi8Ksk+aedMfNWSnJswrtlNtZo3HPHi5Q+jjsF5dcBx esT5ugtW33qEiSgkZE9WYd8H0+lPwKr4i5mAANUcVraZYOaeuiH/yEdZH8S1+TgcJBOjh0vPxcQO jKKOrYIQYpwamUdylUIKhf3z2GAHxH7Ig01Wr79A66tDSdF206u+REJIZKjUOmLs2N0edR+jA2iY fby5OrWxYrmAOY2AmTNEukprXjNI7VQok+gpVRTOdpHu5IavKmIRTFKbZzacLf4zOD3nwgVsoqU1 zQ3lxqBCERWeKKG4PAQYNyavp7c49KAioYpgrb5GJyX2RM51pNcFEtMYkDtPBfDm/HWcGTWmoSyy ir87SQgtAxv4vj40shrsCqzAfMiuyuFuYdB6rLEOVcZv254a1SspgLrZBCX/9gt3r3cu6w5Jhoa8 2I7zIzheMPxghFsjIwINNqkbXC8q7fBXfwiTkcwbv0dB5b3yNR3oW5YiBYO7UVjw0gdRPrII++x6 YSSQfv2n7TJ4De1knRDjH7QY7Fm+gQ0M40rBtaly/uPaPGs4IuAYIIDnnmIMx2SsJMcYcfaTa1Z5 siYOS4qqjKkTvrhEiORgsEtrMS+4ayUpOtEhdxekWDmK9g==
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ji6CjVqQsag9cWMEmMS5uHHij2I>
Subject: Re: [dns-privacy] [Ext] AD review of draft-ietf-dprive-unilateral-probing-09
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2023 22:27:48 -0000


On 7/21/2023 11:56 AM, Paul Hoffman wrote:
> Substantial bits below; others were accepted withtout note.
> 
> On Jul 17, 2023, at 5:06 AM, Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org> wrote:
>> # Shepherd's write-ip
>>
>> The shepherd's write-up states "the WG would like to ensure that this list remains in the document once it is published as an RFC" but the appendix A states "RFC Editor: please remove this section before publication". I.e., the shepherd's write-up and the I-D MUST be coherent ;-)
> 
> Paul Wouters pointed out on the list (2023-07-02) that Appendix A is not in the format from RFC 7942, and is not at all definitive, and thus can be removed.
> 
>> # Section 1.1
>>
>> I am always uneasy with the use of BCP14 normative language outside of a standard track or BCP document.
> 
> I agree with your unease, but it is a long-established tradition in the RFC Series. If the IESG and IAB and ISE want to create new guidance on that...
> 
>> # Section 3
>>
>> This was probably discussed over the mailing list, but must DoT & DoQ replies be also identical to Do53 replies ? The current text is a little underspecified.
> 
> The last paragraph of Section 3 says "An authoritative server implementing DoT or DoQ MUST authoritatively serve the same zones over all supported transports." How should we say that differently to be more specfied?
> 
>> # Section 3.2
>>
>> In ` The simplest deployment would simply provide a self-issued, regularly-updated X.509 certificate` is the intent to use short-lived certificates ? Or more to state "valid certificate" ? The text would benefit from clarity.
> 
> There is no intent for short-lived or long-lived: that's totally up to the deployment. Also, self-issued certificates are not valid, they are only verifiable.
> 
>> # Section 3.5
>>
>> Expect some comments during the IESG review if the SHOULDs do not have some wording about when the SHOULDs does not apply.
> 
>     To increase the anonymity set for each response, the authoritative
>     server SHOULD use a sensible padding mechanism for all responses it
>     sends when possible (this might be limited by e.g. not receiving an
>     EDNS(0) option in the query).  Specifically, a DoT server SHOULD use
>     EDNS(0) padding [RFC7830] if possible, and a DoQ server SHOULD follow
>     the guidance in Section 5.4 of [RFC9250].  How much to pad is out of
>     scope of this document, but a reasonable suggestion can be found in
>     [RFC8467].
> The first SHOULD says it does not apply when not receiving an EDNS(0) option. The second points to the logic in Section 5.4 of RFC 9250. What more could we add?

IF we were serious about the "informational only" status, then we would 
rewrite this to provide information instead of mandating behavior. 
Something like:

An authoritative server that does not use sensible padding mechanisms 
will probably decrease the anonymity of each response. For DoT, sensible 
padding mechanism can be implemented using EDNS(0) padding [RFC7830]. 
For DoQ, padding mechanisms are described in Section 5.4 of [RFC9250]. 
How much to pad is out of scope of this document, but a reasonable 
suggestion can be found in [RFC8467].

-- Christian Huitema

> 
>> # Section 4.4
>>
>> Unsure whether the last paragraph has any value... ` a recursive resolver implementing these strategies SHOULD also accept queries from its clients over some encrypted transport (current common transports are DoH or DoT).`
> 
> That was requested by the WG.
> 
>> # Section 4.6.10
>>
>> Only one prioritization scheme in this section while there were two in section 3.4
> 
> Section 3 is about authoritative servers, Section 4 is about resolvers. In general, no one gets too concerned about resource exhaustion in resolvers. After the deployment experiemt, maybe that will change.
> 
> We will turn in the -10 during IETF117.
> 
> --Paul Hoffman
> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email