Re: [dns-privacy] Call for Adoption: draft-hal-adot-operational-considerations
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 14 August 2019 22:16 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E21E3120F14 for <dns-privacy@ietfa.amsl.com>; Wed, 14 Aug 2019 15:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GM-X4VGYR6NH for <dns-privacy@ietfa.amsl.com>; Wed, 14 Aug 2019 15:16:18 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36EF11208E3 for <dns-privacy@ietf.org>; Wed, 14 Aug 2019 15:16:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 07D0CBE39; Wed, 14 Aug 2019 23:16:07 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHoiwTi57VRq; Wed, 14 Aug 2019 23:16:04 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A9846BE2E; Wed, 14 Aug 2019 23:16:04 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1565820964; bh=4N2/kNEyK9LWEr3BrM3bDbOr9RWsfL1u/247fOw/wto=; h=To:References:From:Subject:Date:In-Reply-To:From; b=wCdVsfg51nYEo6G4L27uzx2OAvn/q4DJvVDUlc092K0fYWx4edK0c6No/NgUkdJvg fd/KJiBK2aWKkM/6Ayq4CVACFBYvunAxEdLWsiOHu/h5dXLONRcYAZjLSWSXuapuzQ VXnJUWDCjBUBGe4B5gg/qNyjXib1gbqekdq5rzlw=
To: Brian Haberman <brian@innovationslab.net>, dns-privacy@ietf.org
References: <5352e08c-3280-999c-0c3f-d15a9f02a7b4@innovationslab.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <9b42780f-d91c-5c70-095e-1b9cd181360f@cs.tcd.ie>
Date: Wed, 14 Aug 2019 23:15:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <5352e08c-3280-999c-0c3f-d15a9f02a7b4@innovationslab.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="afoIEiHPzjd8IiM1FSKJ0rVN81jTJO7RM"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/o7FjB0zYGYNlfnntkjkfdZkuGUo>
Subject: Re: [dns-privacy] Call for Adoption: draft-hal-adot-operational-considerations
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2019 22:16:21 -0000
Hiya, On 14/08/2019 21:40, Brian Haberman wrote: > This starts a Call for Adoption for > draft-hal-adot-operational-considerations > > The draft is available here: > https://datatracker.ietf.org/doc/draft-hal-adot-operational-considerations/ > > Please review this draft to see if you think it is suitable for adoption > by DPRIVE, and comment to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. I'd definitely review. I'm not sure if eventual adoption would be a good or bad idea TBH. As of now I think I'd suggest waiting for another version or two before re-considering adoption but depending on discussion in this thread I might be more positive (or less;-). I fully agree that the analysis called-for needs to be done but am very unsure we need to reach consensus on all the text that describes that analysis. Getting that consensus may be v. hard if people come at it from radically different perspectives where some think encrypting DNS is basically dodgy and others think it's a great plan. My comments/questions below: #0 What's the target? Is this aiming to be an RFC? If so, why? If not (if it's meant to be an I-D the WG work on to help the analysis that's likely not gonna become an RFC), that may make sense, but I'm not sure what the authors' wishes are. #1 Version -02 is a good bit better than -00. So thanks to the authors for the work already done. #2 "providing limited protection to end users." still seems to be somewhat begrudging - doesn't the protection offered deserve as thorough an analysis as the operational issues? If so, will that be part of the work here? If not, why not? (For example, the size of the set of qnames for which an authoritative can answer presumably affects the level of privacy benefit accruing from ADOT, and there are likely some fairly subtle issues in that analysis, for example if 99% of queries to one server are for one popular qname.) #3 Why is 2.1 needed? The MUSTs in 4.1 are bogus anyway. #4 The draft-green reference is gone (yay!) but the text in 3.5 referring to [10] and [11] seem to be implicit recommendations to do the same thing. I will object to text that recommends MitMing TLS like that in any WG document and I suspect I'm not alone. (This is an example of where aiming for WG consensus text may be counter-productive.) #5 I don't understand the basis for 3.6 - I think such text would need to be based on some experiments but see no sign that's been done so far. The same is far more clearly true for 3.8 - that reference is years ahead of being reasonable. (Russ' draft is fine, but suggesting it for ADOT and doing so now are both IMO very premature.) #6 Passive DNS needs a mention. If ADOT were to succeed I guess it'd affect that. The percentage of traffic that could use ADOT without affecting the utility of passive DNS, while still improving privacy, would be a good thing to try figure out. (Not doing so may result in another set of vendors/service providers being needlessly angsty about improving privacy;-) Lastly, if the WG do adopt this, I would suggest that the WG chairs consider a bit of author shuffling as is the WG chairs' prerogative. While operator-focused authors (as I believe is the case for the current author-set) are absolutely required, I believe adding an author who is equally or more concerned with getting the potential privacy gains of TLS (for ADOT) may be a good plan as it might result in text on which the WG can more easily reach consensus (if the author-team have beaten one another up first, that'd maybe save a WG participant- melee later:-) Cheers, S. > > This call for adoption ends: 28 August 2019 > > Thanks, > Brian & Tim > > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Call for Adoption: draft-hal-adot-o… Brian Haberman
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Stephen Farrell
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Hollenbeck, Scott
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Hugo Connery
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Henderson, Karl
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Stephen Farrell
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Ben Schwartz
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Henderson, Karl
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Hugo Maxwell Connery
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Henderson, Karl
- Re: [dns-privacy] [Ext] Call for Adoption: draft-… Paul Hoffman
- Re: [dns-privacy] [Ext] Call for Adoption: draft-… Henderson, Karl
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Henderson, Karl
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Stephen Farrell
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Henderson, Karl
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Ben Schwartz
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Ben Schwartz
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Christian Huitema
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Ben Schwartz
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… James Galvin
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Brian Dickson
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Brian Dickson
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Rob Sayre
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… John Levine
- Re: [dns-privacy] Call for Adoption: draft-hal-ad… Brian Haberman