Re: [dns-privacy] Last Call: <draft-ietf-dprive-bcp-op-07.txt> (Recommendations for DNS Privacy Service Operators) to Best Current Practice
Rob Sayre <sayrer@gmail.com> Fri, 20 December 2019 19:10 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76612120994; Fri, 20 Dec 2019 11:10:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7PwZALz_bWoo; Fri, 20 Dec 2019 11:10:06 -0800 (PST)
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 021BB1209BC; Fri, 20 Dec 2019 11:10:06 -0800 (PST)
Received: by mail-io1-xd44.google.com with SMTP id i11so10433888ioi.12; Fri, 20 Dec 2019 11:10:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7eWWw5rn+/F6VGeDIaOVhB2uIBRYKX1LZj/m44Hz7SE=; b=pef353bqIVadwJazsBc67amH/ytPBVKOPrj7WcRSGGN6QU9iUJX5PGiuc9djc5Rj8N T4Sdqu4M7bjJNNhysd6DR6S5GQu1zP+DuO8QiJaqfDgAevt9yVQZ4lAzvsAcW7P7759L sSldq4pLfLEKV4PnnGYvwPd+/4a4f0dJhe+1yh/wraw0vWmZpDS4+IDs2Ba86z4jlmnc mlCfeFy0BixHjlaGmTmuZhMiXqwpkc6ly5ddsOTbhON8owAiF/e+t5KEojuPIcdzlVkh fZysMwJ65RIKehtaBbnTRaG6E/v7BHbjwE8peCSLrKlEfg0RAjsCvVLFp1NwwFI7qtIc Y0kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7eWWw5rn+/F6VGeDIaOVhB2uIBRYKX1LZj/m44Hz7SE=; b=qvpC0BsUgBbZZ0RU07ImpWpBj3YgKxR8p3HfFj53y+oiEQF9IJio6LocZB3X5C+4AX o20g8d5d+YW3h1T46uo6pI6wMzCQ1Ov9/2/9Ey8wPvCIfrfT1f6Va5cU9KkMpSOkH+MR UNPSNFQshyUTHSKADi+rUzuPh7T1pdb3R3Zj9OvDS6/LXggwEc3tVmeDEAfY65Ktp4Ya TwhD1o+a/UTJ88le0a42KztDPuwmut7NOrhCCTgL7ZLEouzbN215ufYx34JKXka0NoXo B2caXzdKNUDN4E8s8q7bZaq5FN9YXZgYPoFJydgJqOYsPdiECoDGB1DoR/c52eN+NDiV BZEQ==
X-Gm-Message-State: APjAAAU1zJoT7MZFcP+Wz6OZIly7IYLS+Xc/kwkz5kr8s1ERIdDqk8R0 JtofnifewQE+O/Avp0eTYCANzqfjZtvaQrs3mMs=
X-Google-Smtp-Source: APXvYqwg9u3Qz6geEfoVSQfFCnUTdqBmBKlEv6E/TZaRqoLsyDOdTb9Hto0AVTm/ioTsgg0p5AyPcyckVYdhMXxYDQA=
X-Received: by 2002:a5d:9555:: with SMTP id a21mr11447257ios.49.1576869005055; Fri, 20 Dec 2019 11:10:05 -0800 (PST)
MIME-Version: 1.0
References: <157676591810.27491.5332518530732320835.idtracker@ietfa.amsl.com> <CAChr6Sx4UfYkgnsqLmN467GQJ5Qayo0o3mfy7dCcLhzAduQAHw@mail.gmail.com> <70AF207C-B753-4419-BFB7-9EBAA59B73BB@nlnetlabs.nl>
In-Reply-To: <70AF207C-B753-4419-BFB7-9EBAA59B73BB@nlnetlabs.nl>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 20 Dec 2019 11:09:53 -0800
Message-ID: <CAChr6Swo4box3anOHhrqkzBjt_MaKMOOoHJH2oBzU9nUY7ytMQ@mail.gmail.com>
To: Roland van Rijswijk-Deij <roland@nlnetlabs.nl>
Cc: last-call@ietf.org, IETF-Announce <ietf-announce@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dprive-bcp-op@ietf.org, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, DNS Privacy Working Group <dns-privacy@ietf.org>, dprive-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e75d88059a276ce4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/oizgqXY5MkVBZsIFm4r9lEjMF0E>
Subject: Re: [dns-privacy] Last Call: <draft-ietf-dprive-bcp-op-07.txt> (Recommendations for DNS Privacy Service Operators) to Best Current Practice
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 19:10:09 -0000
Hi, Right you are: my comments were intended for draft-ietf-dprive-rfc7626-bis-03. (also in last call). Sorry for the confusion. thanks, Rob On Fri, Dec 20, 2019 at 10:59 AM Roland van Rijswijk-Deij < roland@nlnetlabs.nl> wrote: > Hi Rob, > > I'm responding on behalf of the authors of <draft-ietf-dprive-bcp-op-07>; > we believe that your comments refer to another draft, > <draft-ietf-dprive-rfc7626-bis-03>, since <draft-ietf-dprive-bcp-op-07> > does not have a section 3.5.1.5.2, nor does it list the concerns you are > referring to, whereas the other draft does. > > If this is correct, would you please confirm and post the feedback to the > thread relating to the appropriate draft? > > Thank you in advance. > > Best regards, also on behalf of Sara, Allison and Benno, > > Roland > > > On 19 Dec 2019, at 21:15, Rob Sayre <sayrer@GMAIL.COM> wrote: > > > > I found two issues with draft-07. The document mentions unattributed > "concerns" in a few places. That doesn't seem like helpful content, but I > can't say that such "concerns" and rampant use of the passive voice are > uncommon in today's IETF. > > > > Secondly, I found the entire section "3.5.1.5.2. DoH Specific > Considerations" to be objectionable, and recommend removing it. It mentions > many concerns that are better covered in RFC 8484 and/or HTTP RFCs, and > contrasts DoH with DoT in ways that are specious. Both TLS and HTTP allow > extension fields and metadata, so there's nothing unique to DoH here > (source: I've implemented DoH and ESNI clients). The entire section amounts > to a description of fields that privacy conscious DoH clients /might/ send > if they were poorly implemented. But it seems strange to stop there. > Implementation quality ratholes can go on for a while: for example, the > document doesn't mention the numerous problems with today's TLS, PKI, and > BGP infrastructure that apply to both DoT and DoH. > > > > thanks, > > Rob > > > > > > > > > > On Thu, Dec 19, 2019 at 6:32 AM The IESG <iesg-secretary@ietf.org> > wrote: > > > > The IESG has received a request from the DNS PRIVate Exchange WG > (dprive) to > > consider the following document: - 'Recommendations for DNS Privacy > Service > > Operators' > > <draft-ietf-dprive-bcp-op-07.txt> as Best Current Practice > > > > The IESG plans to make a decision in the next few weeks, and solicits > final > > comments on this action. Please send substantive comments to the > > last-call@ietf.org mailing lists by 2020-01-02. Exceptionally, comments > may > > be sent to iesg@ietf.org instead. In either case, please retain the > beginning > > of the Subject line to allow automated sorting. > > > > Abstract > > > > > > This document presents operational, policy and security > > considerations for DNS recursive resolver operators who choose to > > offer DNS Privacy services. With these recommendations, the operator > > can make deliberate decisions regarding which services to provide, > > and how the decisions and alternatives impact the privacy of users. > > > > This document also presents a framework to assist writers of a DNS > > Recursive Operator Privacy Statement (analogous to DNS Security > > Extensions (DNSSEC) Policies and DNSSEC Practice Statements described > > in RFC6841). > > > > > > > > > > The file can be obtained via > > https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ > > > > IESG discussion can be tracked via > > https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ballot/ > > > > > > No IPR declarations have been submitted directly on this I-D. > > > > > > The document contains these normative downward references. > > See RFC 3967 for additional information: > > rfc8404: Effects of Pervasive Encryption on Operators (Informational > - IETF stream) > > rfc8467: Padding Policies for Extension Mechanisms for DNS (EDNS(0)) > (Experimental - IETF stream) > > rfc7828: The edns-tcp-keepalive EDNS0 Option (Proposed Standard - > IETF stream) > > rfc8484: DNS Queries over HTTPS (DoH) (Proposed Standard - IETF > stream) > > rfc6973: Privacy Considerations for Internet Protocols > (Informational - IAB stream) > > rfc7766: DNS Transport over TCP - Implementation Requirements > (Proposed Standard - IETF stream) > > rfc6265: HTTP State Management Mechanism (Proposed Standard - IETF > stream) > > rfc8310: Usage Profiles for DNS over TLS and DNS over DTLS (Proposed > Standard - IETF stream) > > rfc7626: DNS Privacy Considerations (Informational - IETF stream) > > rfc7830: The EDNS(0) Padding Option (Proposed Standard - IETF stream) > > rfc7873: Domain Name System (DNS) Cookies (Proposed Standard - IETF > stream) > > rfc7858: Specification for DNS over Transport Layer Security (TLS) > (Proposed Standard - IETF stream) > > rfc7871: Client Subnet in DNS Queries (Informational - IETF stream) > > draft-ietf-dprive-rfc7626-bis: DNS Privacy Considerations (None - > IETF stream) > > rfc7816: DNS Query Name Minimisation to Improve Privacy > (Experimental - IETF stream) > > > > > > > > _______________________________________________ > > dns-privacy mailing list > > dns-privacy@ietf.org > > https://www.ietf.org/mailman/listinfo/dns-privacy > > -- Roland M. van Rijswijk-Deij > -- NLnet Labs > >
- [dns-privacy] Last Call: <draft-ietf-dprive-bcp-o… The IESG
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… Rob Sayre
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… S Moonesamy
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… Rob Sayre
- Re: [dns-privacy] Last Call: <draft-ietf-dprive-b… Roland van Rijswijk-Deij