Re: [dns-privacy] [dprive] Specification of DNS over Dedicated QUIC Connections (draft-ietf-dprive-dnsoquic-04) - feedback
Sara Dickinson <sara@sinodun.com> Tue, 05 October 2021 10:23 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E12883A09E3 for <dns-privacy@ietfa.amsl.com>; Tue, 5 Oct 2021 03:23:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y63SkZjyKrsX for <dns-privacy@ietfa.amsl.com>; Tue, 5 Oct 2021 03:23:28 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306F73A09DD for <dns-privacy@ietf.org>; Tue, 5 Oct 2021 03:23:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=mFBLcKZsqsTlSrds2+Viu/UpYUlzmjZtdE5J2CfTliE=; b=DUBgDfWqbaf94OfHjo5EExlvRH TEga32W7MGA6d0SLlKhHfyn9b9VQm16+JWbw0Te1h7A5CmZywX9OnEmOXBi0t4iI4XUnxiLnwDxY8 NBE25o0PGrE/8e12PnC+pYzPr5tiMmpj1NialsMUDW+CWuPB6Z4xN9jP466OXomk07dz+CdrpLVQp lfV4adWQUvicudQObIxkTmQT/y2GhSCc8CtrZr/OGNtbhOSqgfge7KyfT5JwDTDpOgzPMpLiE3/Uu VMgOW4Si/N1X1LedxFyx2VGG68/36yvOPBi3H4KwiggpdQZFRCQmbN07Q8C03x1b8L2d1F79BEQbA H2orpRug==;
Received: from [62.232.251.194] (port=9339 helo=[172.27.240.3]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1mXhbZ-0007xa-TJ; Tue, 05 Oct 2021 11:23:26 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <7B4E24A0-76DA-411E-BA19-7556031DC9E4@contoso.com>
Date: Tue, 05 Oct 2021 11:23:17 +0100
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C766BA3F-4046-4F4C-84EC-50E5332A9A23@sinodun.com>
References: <7B4E24A0-76DA-411E-BA19-7556031DC9E4@contoso.com>
To: "Quick, Matthew" <mquick=40verisign.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sO-d8TTyGgKkNMErqoibiEWIpng>
Subject: Re: [dns-privacy] [dprive] Specification of DNS over Dedicated QUIC Connections (draft-ietf-dprive-dnsoquic-04) - feedback
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2021 10:23:36 -0000
Hi Matthew, Sorry for a slow response - thanks for picking up the reference issues! One comment below. > On 22 Sep 2021, at 16:14, Quick, Matthew <mquick=40verisign.com@dmarc.ietf.org> wrote: > > Dear Christian et al, > > Hello - I hope this finds you well. Please find an additional section suggestion and comments for “draft-ietf-dprive-dnsoquic-04”, below. Your feedback is greatly appreciated. > > Best, > Matthew Quick, Verisign > > ____________________________ > 9. Privacy Considerations > > Justification: > The reference to [I-D.ietf-dprive-rfc7626-bis] is obsoleted when it became [RFC9076] in July 2021. > > Existing Text: > The general considerations of encrypted transports provided in "DNS Privacy Considerations" [I-D.ietf-dprive-rfc7626-bis] apply to DoQ. > > Suggested Text: > The general considerations of encrypted transports provided in "DNS Privacy Considerations" [RFC9076] apply to DoQ. > > ____________________________ > 9.1 Privacy Considerations > > Justification: > The reference to [RFC7626] is obsoleted when it became [RFC9076] in July 2021. > > Existing Text: > This risk is in fact a subset of the general problem of observing the behavior of the recursive resolver discussed in "DNS Privacy Considerations" [RFC7626]. > > Suggested Text: > This risk is in fact a subset of the general problem of observing the behavior of the recursive resolver discussed in "DNS Privacy Considerations" [RFC9076]. > > ____________________________ > 9. Privacy Considerations > > Justification: > The new text only applies to interactions with authoritative name servers, not stub to recursive, so it fits well as an additional part of Section 9 – Privacy Considerations. Also, RFC 9076 only mentions QNAME minimization, so it’s helpful to have a separate place to expand the explanation of data privacy. > > New Section Suggested Text: > > 9.5. Relationship with Minimization Techniques > QNAME minimization [RFC7816] reduces the sensitive information exchanged to only what’s necessary to perform a requested function. This reduces the risk of disclosure to both outside and inside parties, with no operational impact on the receiver. Additional minimization methods include NXDOMAIN cut processing [RFC8020], and aggressive DNSSEC caching [RFC8198]. It is a good point that we haven’t covered this kind of consideration. I’d like to suggest adding the following text at the end of the first paragraph of section 9 as a more general improvement since RFC8932 covers privacy stub-to-recursive, recursive-to-auth and data at rest. Section 5.3.1 of RFC8932 covers exactly the references you cite above. “”Similarly, "Recommendations for DNS Privacy Service Operators" [RFC8932] (which covers operational, policy, and security considerations for DNS privacy services) is also applicable to DoQ services.” Best regards Sara.
- [dns-privacy] [dprive] Specification of DNS over … Quick, Matthew
- Re: [dns-privacy] [dprive] Specification of DNS o… Sara Dickinson
- Re: [dns-privacy] [dprive] Specification of DNS o… Quick, Matthew