IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Eric Rescorla <ekr@rtfm.com> Mon, 20 January 2020 23:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C322120801 for <dns-privacy@ietfa.amsl.com>; Mon, 20 Jan 2020 15:23:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JpignJllqDj for <dns-privacy@ietfa.amsl.com>; Mon, 20 Jan 2020 15:23:24 -0800 (PST)
Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29D3F12082D for <dns-privacy@ietf.org>; Mon, 20 Jan 2020 15:23:24 -0800 (PST)
Received: by mail-lj1-x242.google.com with SMTP id j1so800410lja.2 for <dns-privacy@ietf.org>; Mon, 20 Jan 2020 15:23:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xbNKX6A25pxQ4/rZ6335JdY3YdmjQO4LF0iFzu3LArY=; b=Vu7IhDsIy842z9ndV44wZk+R+XFW0q5Ff6+gXA15j2Vrjy9s83liTWRvnqqo0rk3xN iqgAMaIwR5V7WqFmB59wnv/fB90pWvRsD0yuFESbP5s14W9ERKan/A9m3ZpkJdKkw2ov //PYApQn/1U5mLh0S7asIkInEc0v/sfueHCBQMyNjvtpSgBO65dVTOGa75KvWfxxxRR2 y48KJH04b20o6NuirM82GZ7KXRHvwmM6Ph5AoGNt9nqN4do/flsh+3C1U7dPO2COqJvf Qrwcd8qQuJS4Udn8kXmo0t4QzkK2BAB/C0JYPvAAMTuBJTeGOKmEG+r5zH4i7unFjoch Njzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xbNKX6A25pxQ4/rZ6335JdY3YdmjQO4LF0iFzu3LArY=; b=JjLiq48oVRYmrhwlGGBLcR3l0XUXkXbFwtStu8xBwN2uO5hWmCs3z8H2HY1VA6wBNb Ct9fBjcXigEhhv2Aag8//E18AnljgseQjEFc2GhWLX6zWAAwcWhinLVmFTz/unzjrTlu wO5lhBgYYrDpfCscn5w/jmjVriAlrxqlADGk3Q53YdY/9+0g9OFYg4IxBXWfpSRzmzhb rvQLZwCDCmRotjM6c6itL4bvdKBELRK38MLvFsKXach4vLxZEIveRIEcN4eax0meoGpf 09l8LKbfMtcvcGSD3rEKSZhKF3o+o/neh3b9qnuui8qw/z5BGSQsamc9EvMaGvThPTsC 5lfQ==
X-Gm-Message-State: APjAAAXzajpb2qyIRHq+dU4W9FkXxhzqkKbzA5yVAXMdlTgG0VQPBLfT ElEyqgBAOXs6CqwJBgdMiHQ+4JEFM4btzJpLV2Zg3A==
X-Google-Smtp-Source: APXvYqzgBW38tJ7seP4h0mC0uDl7V0nTGe2bE4mCzOLltgWBVDBRhzenAfnuijbQ1UbyOTrxK639QO3cnhizn26OrXc=
X-Received: by 2002:a2e:b0e3:: with SMTP id h3mr14414043ljl.56.1579562602330; Mon, 20 Jan 2020 15:23:22 -0800 (PST)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com>
In-Reply-To: <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 20 Jan 2020 15:22:45 -0800
Message-ID: <CABcZeBPnKzEunvbUXv5kkOhdo9zMi=JjLRb6_hAncth6bU+PwA@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, last-call@ietf.org
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d02d55059c9a937e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/lp7Rm4YJ87S6aii8vBrQFgKqeUc>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 23:23:27 -0000

+last-call

On Mon, Jan 20, 2020 at 2:37 PM Eric Rescorla <ekr@rtfm.com> wrote:

> Review comments attached:
>
>
> COMMENTS
> S 3.1.
> >      described above, and may not have any confidentiality requirements.
> >      However, the same is not true of a single transaction or a sequence
> >      of transactions; that transaction is not / should not be public.  A
> >      typical example from outside the DNS world is: the web site of
> >      Alcoholics Anonymous is public; the fact that you visit it should
> not
> >      be.
>
> Well, technically what you want to conceal is the origin of the
> transaction or its linkage to other transactions. The existence of the
> query for that A record isn't secret.
>
>
>
>
>
> S 3.4.2.
> >      fingerprint [2] values can be used to fingerprint client OS's or
> that
> >      various techniques can be used to de-NAT DNS queries dns-de-nat [3].
> >
> >      Note that even when using encrypted transports the use of clear text
> >      transport options to decrease latency can provide correlation of a
> >      users' connections e.g.  using TCP Fast Open [RFC7413] with TLS 1.2.
>
> Why does this say TLS 1.2? Any use of TFO will have the same
> properties.
>
> Perhaps you are thinking of TLS session tickets here?
>
>
>
>
> S 3.4.2.
> >      services available.  Given this, the choice of a user to configure a
> >      single resolver (or a fixed set of resolvers) and an encrypted
> >      transport to use in all network environments can actually serve to
> >      identify the user as one that desires privacy and can provide an
> >      added mechanism to track them as they move across network
> >      environments.
>
> I don't understand this paragraph. It's not the choice of specific
> resolvers that leaks data, but the choice to turn on encryption, In
> fact, from an identification purpose, the more resolvers that support
> encrypted transport, the better signal this is.
>
>
> S 3.4.2.
> >      identify the user as one that desires privacy and can provide an
> >      added mechanism to track them as they move across network
> >      environments.
> >
> >      Implementations that support encrypted transports also commonly re-
> >      use sessions for multiple DNS queries to optimize performance (e.g.
>
> Note: session is a technical term in TLS that refers to the
> association not the connection. I would say "connection"
>
>
> S 3.5.1.1.2.
> >
> >      o  communicate clearly the change in default to users
> >
> >      o  provide configuration options to change the default
> >
> >      o  provide configuration options to always use the system resolver
>
> I get that you think this is neutral, but all of this is equally true
> about dynamic discovery via DHCP, it's just that that's the status
> quo, so you don't notice it. In this context, this text is tendentious.
>
>
> S 3.5.1.1.2.
> >
> >      Application-specific changes to default destinations for users' DNS
> >      queries might increase or decrease user privacy - it is highly
> >      dependent on the network context and the application-specific
> >      default.  This is an area of active debate and the IETF is working
> on
> >      a number of issues related to application-specific DNS settings.
>
> This, too, could be said about the current situation.
>
> On Mon, Jan 20, 2020 at 1:47 PM Eric Vyncke (evyncke) <evyncke@cisco.com>
> wrote:
>
>> Thanks to Sara and Stéphane for the -04 revised I-D.
>>
>> After reading the -04, I think that most of the IETF Last Call comments
>> are addressed (and consensus needs to be balanced -- even for informational
>> document) and that the document sticks to facts.
>>
>> But, as section 3.5.1 ("in the recursive resolvers") raised a lot of
>> discussions during the first IETF Last Call, and as the authors reacted to
>> those comments by deep changes in the text, let's have a new IETF Last Call
>> before proceeding with IESG evaluation.
>>
>> Again, thank you to the reviewers and the authors
>>
>> Regards,
>>
>> -éric
>>
>>
>> On 20/01/2020, 22:34, "IETF Secretariat" <
>> ietf-secretariat-reply@ietf.org> wrote:
>>
>>     IESG state changed:
>>
>>     New State: Last Call Requested
>>
>>     (The previous state was Waiting for AD Go-Ahead::AD Followup)
>>
>>     The previous last call raised several points. The authors have worked
>> on those points and this new informational IETF draft has substantive
>> changes; enough to go trigger a new IETF Last Call.
>>
>>     -éric
>>
>>     Datatracker URL:
>> https://datatracker.ietf.org/doc/draft-ietf-dprive-rfc7626-bis/
>>
>>
>>
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>>
>

v2.23.0 | Report a Bug | By Email