Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

Sara Dickinson <sara@sinodun.com> Wed, 26 October 2016 13:24 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04CD9129672 for <dns-privacy@ietfa.amsl.com>; Wed, 26 Oct 2016 06:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOCY7gnZsF7M for <dns-privacy@ietfa.amsl.com>; Wed, 26 Oct 2016 06:24:13 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A9E512965D for <dns-privacy@ietf.org>; Wed, 26 Oct 2016 06:24:13 -0700 (PDT)
Received: from [62.232.251.194] (port=6033 helo=virgo.sinodun.com) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from <sara@sinodun.com>) id 1bzOBS-0005ws-SS; Wed, 26 Oct 2016 14:24:09 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <03AC11BC-BE33-47B8-B1A2-1BDC26280B2C@vpnc.org>
Date: Wed, 26 Oct 2016 14:23:59 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <7BAA0258-E476-4940-8430-80BC8ED4FD94@sinodun.com>
References: <5dc29c0c-9f34-dcac-8d94-f2722ee6a4ba@gmail.com> <03AC11BC-BE33-47B8-B1A2-1BDC26280B2C@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.3226)
X-OutGoing-Spam-Status: No, score=-2.9
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: sara+sinodun.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: shcp01.hosting.zen.net.uk: sara@sinodun.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/p954cDr0q3-yUfzunztN1Pva2v4>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 13:24:18 -0000

> On 23 Oct 2016, at 00:25, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> Greetings. I apologize for this being late, but I kinda wanted to see what topics other reviewers focused on. However, other than Stéphane's review, nothing has been said.

Paul, 

Many thanks for the detailed review. This feedback is much appreciated.

> 
> There are some big topics for the document that I have split out into other messages. Some may be considered rehashing of earlier discussions, and I'm totally open to "nope, that's not what the WG wants", but I think it is worth making sure we all still feel that way. The rest of this message are nits.
> 
> Section 1: "The proposals here might be adapted or extended in future to be used for recursive clients and authoritative servers, but this application is out of scope for the DNS PRIVate Exchange (DPRIVE) Working Group per its current charter." This document will long outlive the WG, so everything after the first comma should be removed.

So…. this got added after multiple comments of ‘why is recursive to auth not in scope?”. It is also lifted directly from RFC7858 (DNS-over-TLS) as it was the wording used to justify the scope at the time of publication of that document. But there have been several comments on this sentence and that is the response I have given every time :-)  If the charter is changed before this document is published I agree this should be updated but I happen to think this gives useful context for future readers. But would like to hear what others think.

> 
> Section 1: "How a DNS client can verify that any given credential matches the domain name obtained for a DNS server." "obtained" is somewhat difficult here because there are many ways that the name is determined. Proposal: "matches the domain name of the DNS server”.

We used the word ‘obtained' here as in the early discussions there was confusion about what domain name (or names) a DNS server serves, and what the domain name that is used for authentication is. We wanted to be clear there is no correlation between the two.  Hence the rather clumsy wording that is at least consistent between the first and third bullet points. 

OLD:
   o  How a DNS client can obtain a domain name for a DNS server to use
      for (D)TLS authentication.

   o  What are the acceptable credentials a DNS server can present to
      prove its identity for (D)TLS authentication based on a given
      domain name.

   o  How a DNS client can verify that any given credential matches the
      domain name obtained for a DNS server.

NEW:
   o  How a DNS client can obtain an ‘authentication domain name' for a DNS server to use
      for (D)TLS authentication.

   o  What are the acceptable credentials a DNS server can present to
      prove its identity for (D)TLS authentication based on a given
      domain name.

   o  How a DNS client can verify that any given credential matches the
      ‘authentication domain name' for a DNS server.

In fact maybe it would be better to define ‘authentication domain name’ in the terminology an use it throughout?

> 
> Section 1: "DNS-over-TLS draft" should be [RFC7858].

Fixed.

> 
> Section 2: "forwarder/proxy" (used twice) The rest of the sentence talks only about forwarder, and it's not clear how a proxy differs from a forward, so maybe just change these to "forwarder”.

Done. 

> 
> Section 4: In Table 1, change "N (D)" to "ND". I cannot figure out what the parentheses mean, and all three N situations are ND.

Parenthesis removed. 

> 
> Section 4.3.1: "Bootstrapping" is not a widely-understood term.

Really? A quick Google finds RFC4173 from 2005 which has Bootstrapping in the title. It would be nice to keep it unless there are general objections as it more accurately describes the specific issue addressed in that section.

> 
> Section 8.3: The "[NOTE:" is not really a note, it is a full statement. Proposal: remove "[NOTE:" and "]”.

Done. 

> 
> Section 11: The first paragraph covers multiple topics; it could be broken after second sentence.

Done.

Thanks - working my way through your other emails!

Sara.