Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 26 May 2021 13:21 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96AA33A2E52 for <dns-privacy@ietfa.amsl.com>; Wed, 26 May 2021 06:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5_gl1bbPYoo for <dns-privacy@ietfa.amsl.com>; Wed, 26 May 2021 06:21:42 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40136.outbound.protection.outlook.com [40.107.4.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 884143A2E4C for <dns-privacy@ietf.org>; Wed, 26 May 2021 06:21:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BjUGxBM2h4eBy/nppFsmHOzBMM8hx0zRs4hSp27+iMh9S8qd9mn8t00SQMa/fkn6gUwkw0TqW3efL6XfiuTd8413E0vUizO11HMlwDaiV0UoP0MvNHzVqf4nAPRw4tCjjiVxhhB055SXtglXbtwjz5TkSNDz+/Uhdt4N/fNwTfSNG+Ylx/HvRFlokuAj+t4JAjupj8Fgil6DafKdMQ6baIlXAA69XOXGnyE30Ome7evVmMmbP9C3WPvTaArwZaQ3kaWWmAAE8fQu/1oZz/mhNKWSOhZGyEP/oc33pBVXJvElBiO4TX1rs7b2iqeBwJ3Qh8ph3MeIQKVMS4qDBbyABA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y8pUA+i2FynEyrjzhPoJTqbHXd/WuUshFyaDL5P3rWI=; b=ELn8AF7wrIZYlkHVGnZObMLnOqYtH1fV7X6BOaJ8ylakg0kP6ju3TFruEfw4i2TkhcS/WF+tnWDJKXh7/5Ov9Qc2VlV8dyJc2Ws8boiqj0KPRhjERS+Ie/ANp/hiOzM+VlsUHLtdcBLlof/vGagqgeQCW4pDba6NvWMrBnvZxN8uSwgeqmgPX7oTkwgV7g9UJ3qMY/vB4y4vZJnFoqFxmJiwcETztvMgoscxuAAzW2C8R+2LbH/7LXKdC6zHnuW3Ksbvdqh1ni6LFhTl3V5ke/Y4755NgmrSl8bacf0EKr7TtDhNePupOA7Amy6aZP+9rDdWjoRBz1NCZrybEg2aGg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y8pUA+i2FynEyrjzhPoJTqbHXd/WuUshFyaDL5P3rWI=; b=dTu5SFeRAxdQtFcLJb1tRmQe5AN32xTnD6NhNEyFDReYDxUUXWXxXjBncb1gA7AOsidvsxpFVT4kvMATOlh5O8GIy7B7qomgSSwXyXFeVP1IxJEXAjaDSknOqR2eTRs3vYwHk30GkDJh5huD6/YF/6TwdPt6pg/Mk6BegHCZBa+bglQvCNK/wp+X2d35PzaCc3MPiUMhF+zPKqfTgBe0UTx7uBVHu7XJsGjTBuEwDu0brNLL0Ybj4oQbpQPZlt1ABfRW5FOdlBGplrzn58of06h/FrkXuVfChJxlKuCXpms/z4rkisU9stAkdMPDujmfVKeMGRJ/hQMmQXJ8gH/l+Q==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DBAPR02MB6309.eurprd02.prod.outlook.com (2603:10a6:10:19f::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26; Wed, 26 May 2021 13:21:38 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::9c71:9f6:9136:f849]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::9c71:9f6:9136:f849%6]) with mapi id 15.20.4150.027; Wed, 26 May 2021 13:21:37 +0000
To: Tim Wicinski <tjw.ietf@gmail.com>, DNS Privacy Working Group <dns-privacy@ietf.org>
References: <B27C4F2E-D5AF-428B-BBD1-A57E7D676BD5@icann.org> <CADyWQ+E9jpV0BwMsaS8=vNbs7x87d4qqGbKQevj8MVGCLGyv5w@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <7da7a144-9735-52b9-c632-e65b90712bf4@cs.tcd.ie>
Date: Wed, 26 May 2021 14:21:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
In-Reply-To: <CADyWQ+E9jpV0BwMsaS8=vNbs7x87d4qqGbKQevj8MVGCLGyv5w@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Zbj2Wb8iwQ9rWLfotLGTs6FYYzDmlTzYw"
X-Originating-IP: [2001:bb6:5e5e:b458:1730:62d3:9902:d234]
X-ClientProxiedBy: DB6PR0601CA0043.eurprd06.prod.outlook.com (2603:10a6:4:17::29) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:1730:62d3:9902:d234] (2001:bb6:5e5e:b458:1730:62d3:9902:d234) by DB6PR0601CA0043.eurprd06.prod.outlook.com (2603:10a6:4:17::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.24 via Frontend Transport; Wed, 26 May 2021 13:21:37 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 32e92b16-8b70-4247-3f7a-08d9204930fa
X-MS-TrafficTypeDiagnostic: DBAPR02MB6309:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DBAPR02MB6309C867FFC4BD418A13FC51A8249@DBAPR02MB6309.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:849;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xB0Za1yIXddiCYP92xS5eLSSYSzyNR7eO3LoSSykE3UGFAdwZsFxHFMepTGoPJnOF1AScHeH0mBFtk7wbvkpopWqXEl8oSo6Uhvcg+rNLAESJkI6D01CsOEIkfUxbKeZh6crjB5HBLY5OguTzZ4unAkgT17akhQ92uttrPnV8qA6wpzCB3F3i9HvKKu9ANPOMKsXZ6fDquE4VAF5upakyksdSFL7S6BYIgrPvYhtR2xfK63bjE9EUW26eISUm4vACiYoxLKNcMrDh3BK4bAkaJEtX9lTpadOgnhqwOIGPoAk0WBf9E3So7kLsiIumyrOXT3YNj5uxrNaoqDPSXGy+foYCj3JAmRBQE8gQTuSU36QQgTsgqAJo8fxceb+z/e/VIoRSatftCqJzIF9coixyZUqq0l3resb+WJ8kBLEhyK3KnKFPFcpdW3aOImj35uze28/67zvqUxUX9gr9QR6Z16wbNN7pIz4uOIKUyZxFmSEtG/7cJ4Wu2vG3FM+h5/J3ZANkM9ksz15DKOLwN7EAS4XcP9LS6sRKFgpp+hNwYA8GJlhkRWdDb84ntAwC8wG1SNNf+se0Dp3H+Gx34btBuToBlu5QuMbW0zZO+WfoiqzUHN/zQbFKqQ6Pip1G+WoHa+Xg+804CeRqmq9kNS84Eg4MHeDmc3rcrDrs2sb3cPX7lkU1OsCsB0F7Q6LN6eTHGGBcAskgga0XTZeSHGviODy3KPtMBUc0JPC/+4WesZyNjiLC2YzgmcZZdGqHa2OuX611M9/zJpEzxVZB8rY7APjVlaRs8/kDtGB4SFWCeo=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39850400004)(376002)(136003)(346002)(396003)(478600001)(31686004)(316002)(235185007)(66476007)(21480400003)(6486002)(16526019)(966005)(2616005)(66946007)(36756003)(52116002)(53546011)(8936002)(8676002)(2906002)(33964004)(110136005)(44832011)(186003)(83380400001)(66616009)(66556008)(31696002)(86362001)(786003)(5660300002)(38100700002)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?SmNHeG1kU1dVbit4MUlXWUF2QTNtN2ZPcE1DQkUyZGp4SGN0S0EwQVg2Yy9n?= =?utf-8?B?OWJDRlFXMUFoL2lxazh4LzdYaXZFaUFmWkoyV0loMWdsbmc3NGhicG1hS1pT?= =?utf-8?B?N29KY0xoRTlDOGloa2VwSWxuaXFiT1QxQXJoSmtrb3RJZ3R3MjY0a0tLWmdy?= =?utf-8?B?NkZJM1FwckNaS2Y3M1NTa2NkRVJuczVteWkwWk1DaExrTk5ONUdrQjE4Nlgy?= =?utf-8?B?cVR0a3JSaDR5MGJ4QUEyYXRycGNvNkRabzdZQ1hNV1NIZXBOci9hSmNDLzZU?= =?utf-8?B?OXcrSUZLYXlVdTBPMmJ3cGhNYjVJVFpGOExBM2hSdVJWdUFDd25vejlBSWNR?= =?utf-8?B?YnpXSjZKQ2wyWjUvdVNzdE5pSytJRFpmVUsxTi9BbmphNnFwNVlLbHJXOUNF?= =?utf-8?B?NmRaK0xKY1FEMzNSNEJCQWwwSlphUkhUbkk2WXpJWmxjUis1M3RIMGhFN0sz?= =?utf-8?B?d0E0cGdlYm5JQ0YrK0ViRkJDZ0tPMUJaYTFGaXhVYzJSZ3VpZC9kSGo0cVd0?= =?utf-8?B?TTdNTzN0K1J0TnVxZG1uSWwxRDJSWUpNbEp4MFBDSTRzSnVSVUsvam5DcERy?= =?utf-8?B?MERtYnVvME9NVjdLTHFNWEpZYTRmMHMvWWM5VWlReWw1UklTb2ozVmtOcWkv?= =?utf-8?B?Vlk3dGlBWTkyQlRFSk1PYXFyTytuWitkb2twOTJySUtJZTNTMmRSZTF1U0Nk?= =?utf-8?B?T1g3MDA2S3Z1a2hUeURiRGpKV09KYkk5OG4veDl5c29LZlQyTlRaM25SQTho?= =?utf-8?B?VFNPL1ZrQTFWUWM4eVRnYmNmV1piVE14MUZNS2lDRndhbE52cStZVCtiUnhM?= =?utf-8?B?aEN6QWpTUE5VajlIY0lZTGdSN2dWeUJWRTF3YWhoaE5YTW92WVhFaDBITlgx?= =?utf-8?B?cTBaMm5iYjdzTUJZd1FWMTIveEtmUzdVY05uUkdjMDhZSTcxZVNoRmxGdFJF?= =?utf-8?B?L3dGN2lKUEh2SjdJYWdoN0hPa3ZuVkVtYW9YUDZXKzFXTUo1UkpBSnlrVDdR?= =?utf-8?B?SGxyM0U0eEJnMlpVdlllMHZnMFlJRWhXaVNIbnZaTjJUMXdrd2ppbXVUaXd0?= =?utf-8?B?T1BaNlpEZkpIa2tEbVRqQktLNEFVQTF0cUV3bFp5bXVEeWJQdDRGQ0R0TVR4?= =?utf-8?B?TE9PcTNqVC9Id1lzTk5VZmVQMU5VV2RHSmlPREZnbEhIaCtSelhVYXhQTEJn?= =?utf-8?B?SndmZFdyd3VNWnNLRjhCaHhoRStsYVU3NS9jOHZGU1FCMjVCTVBUdjJJVHBt?= =?utf-8?B?QjNRR2ZBN3h5dTlTNGVRVW83aFVXQWdiTzhNRjhJbW80ZkxGUDlHRSsxa05z?= =?utf-8?Q?4iM7eAOQp7?=
X-MS-Exchange-AntiSpam-MessageData-1: 0Bp7zDhbbzkV05c8W1R+v/9CK5XR2NkZERwZwa4qEhrIwtYnHLFwWx0mduP7WTcCj6lMdBDPsg6YsXw7T8TKKmnCiB1VdfyWGkcEZWsyjZYC7eHMMUsKVcmSY4oqPGhWyxc4oOw91u5c9M+RRiKQK4rZwR4/8NFflFcu6Dooqr4hA4L4afnk4VbWbDaNBYg+vIISEc6tXTmJ4AxMektdONQb0D4LaAZjIzbHo6Y6niCEp8SrkDpdXks19vvxxUkNxDzW7m7o6+wjNKXMxMew7HPm5vY8bFxjoUQGiUB5eP7sCkIWHB+zEeRLiOsvTCDxJ5yMtb2Qxkwl3nIS3rltrA+uWFYBaFkGGBwNXqCyakhZKrRDmJAkrGy0jFlPdCAlMTtNjMBIugmaFCwTfWO2f1q0
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 32e92b16-8b70-4247-3f7a-08d9204930fa
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2021 13:21:37.8352 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: r3DvWFFk+mzjXY0wP3ZjvcLRKgWC4MmptHkuVle4hrQ1JkxySr79/4/pUKrELJxb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR02MB6309
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/p0H6dsyvIvEJLNPbBVs7U63EmTU>
Subject: Re: [dns-privacy] Fwd: New draft-ietf-dprive-unauth-to-authoritative and draft-pp-dprive-common-features
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 13:21:48 -0000

Hiya,

On 25/05/2021 22:16, Tim Wicinski wrote:
> All
> 
> The authors took the advice from the working group and extracted the more
> common features
> into a separate document.   The chairs would like the working group to give
> some comments, as
> we feel a document like this should be considered for adoption.

I think it might be useful to adopt such a document. But
there is a risk that it turns out to be a waste of time
if it ends up more as a tool (ab)used in arguments about
which direction(s) to take rather than a bit of spec text
that's common to >1 approach. So, I'm not sure if adopting
this soon would be a good idea or not.

WRT a couple of other points mentioned in the thread:

- "Authenticated" has been used in two different ways. For
TLS, what's authenticated is the NS. For DNSSEC, what's
authenticated is the zone signing entity. Those are not
the same entities in almost cases so it'd be better to try
hard to not confuse those.

- SVCB in the parent zone will take years to happen, if
it ever does, other than sporadically. The equivalent "DS
in the parent" problem is IMO a major reason why DNSSEC
has not been a success. I've not seen any credible argument
as to why it'd be easier to get SCVB into parent zones.

On the draft itself:

- The draft seemed ambiguous to me about how the SVCB
gets into a resolver's cache, maybe that's ok to fix in a
bit, or maybe it'd differ with different approaches, but
the authors' intent wasn't clear to this reader.

- I didn't get the intended behaviour when the "use TLS"
signal is seen, but not for all NS instances. (Maybe that's
in the pesudocode, but I didn't read that bit sorry;-)

Cheers,
S.

PS: I'm one of those who do think an opportunistic mode
is worthwhile exploring as a stepping stone to an eventual
mode with TLS server auth.


> 
> 
> https://datatracker.ietf.org/doc/draft-pp-dprive-common-features/
> https://www.ietf.org/archive/id/draft-pp-dprive-common-features-01.txt
> Please read and comment on this draft.
> 
> thanks
> tim
> > 
> 
> 
> ---------- Forwarded message ---------
> From: Paul Hoffman <paul.hoffman@icann.org>
> Date: Wed, May 19, 2021 at 12:59 PM
> Subject: [dns-privacy] New draft-ietf-dprive-unauth-to-authoritative and
> draft-pp-dprive-common-features
> To: dprive@ietf.org <dprive@ietf.org>
> 
> 
> Greetings again. Peter and I have revised
> draft-ietf-dprive-unauth-to-authoritative and
> draft-pp-dprive-common-features based on recent mailing list traffic. One
> major change is that we realized that we could move even more sections from
> unauth-to-authoritative to common-features because they would apply to the
> fully-authenticated use case. Please review them to see if you agree.
> 
> If people like the idea of us splitting out common features, it would be
> good if it too became a WG document, particularly to help focus the
> discussions on the unauthenticated and fully-authenticated use cases.
> 
> --Paul Hoffman and Peter van Dijk
> 
> https://www.ietf.org/archive/id/draft-pp-dprive-common-features-01.txt
> https://www.ietf.org/archive/id/draft-ietf-dprive-unauth-to-authoritative-01.txt
> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
> 
> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>