Re: [dns-privacy] Alexey Melnikov's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
Sara Dickinson <sara@sinodun.com> Thu, 05 March 2020 13:35 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10EEA3A14CF; Thu, 5 Mar 2020 05:35:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mm4cb1tkhOdm; Thu, 5 Mar 2020 05:35:14 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1505E3A14BA; Thu, 5 Mar 2020 05:35:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=l2s43CBLONhMo/hE9m895bSqulT5MQ6BXZRuACKuKr0=; b=kfpJbzzo4rfeKllzNF71Kmqygb i+kHkgc9ciXm49ZNDcshU1qN5BFp7ShBqvLK7yWr9o+3c+sDPemUIXvmFDehRKzr5D9lUw4t1MNQj s14DuZWJxrlKm5s0Ng4Y6LD2W5Sl8AnUDcrDM4JRepfSFP5GRaDpS6D88DxXid6RPmazvPH7FJKfc cs5umOZ2dvAmThTyB4Co2THda992u1r9uI0cSnJAe4UpXe/7eU/+5kUtVI2JZSorwXlf/HS5guPM7 RQSqAi079PXqeocmTCD3Mys+X4Un7X0kZg3HBzj7iWn+QZQ35D7Ut/ceaP76+ZokzPqXyC3ky+SN3 9qcbUxvA==;
Received: from [2001:b98:204:102:fffa::2] (port=53555) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1j9qeY-0000Ko-10; Thu, 05 Mar 2020 13:35:11 +0000
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <6D575D82-F95D-44BC-90D6-652F1C7F3508@sinodun.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_6A8D7728-2E6F-4C5E-AF8D-51920977075F"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 05 Mar 2020 13:34:59 +0000
In-Reply-To: <CAHbrMsD=k1Z0t9rPkP053UkwAG-q0QXp5OU4ES2kdpPXHvw=cQ@mail.gmail.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>, draft-ietf-dprive-bcp-op@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
To: Ben Schwartz <bemasc@google.com>
References: <158100793900.5172.2649631873195856414.idtracker@ietfa.amsl.com> <0643CFB9-1AA8-4F75-AF83-9F5FDF0F3E0A@sinodun.com> <CAHbrMsD=k1Z0t9rPkP053UkwAG-q0QXp5OU4ES2kdpPXHvw=cQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: -16
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sVugpWCNYc5zRzZNo9Gh81mkbIM>
Subject: Re: [dns-privacy] Alexey Melnikov's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 13:35:23 -0000
> On 4 Mar 2020, at 18:44, Ben Schwartz <bemasc@google.com> wrote: > On Wed, Mar 4, 2020 at 8:32 AM Sara Dickinson <sara@sinodun.com> wrote: > >> >> >> On 6 Feb 2020, at 16:52, Alexey Melnikov via Datatracker <noreply@ietf.org> >> wrote: >> >> Alexey Melnikov has entered the following ballot position for >> draft-ietf-dprive-bcp-op-08: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I think this is a very useful document and I am looking forward to it >> getting >> published. >> >> I support updated Ben’s DISCUSS. >> >> ********************************************************************** >> * Note, that I am conducting an experiment when people aspiring to be* >> * Area Directors get exposed to AD work ("AD shadowing experiment"). * >> * As a part of this experiment they get to review documents on IESG * >> * telechats according to IESG Discuss criteria document and their * >> * comments get relayed pretty much verbatim to relevant editors/WGs. * >> * As an AD I retain responsibility in defending their position when * >> * I agree with it. * >> * Recipients of these reviews are encouraged to reply to me directly * >> * about perceived successes or failures of this experiment. * >> ********************************************************************** >> >> The following comments were provided by Benjamin Schwartz < >> bemasc@google.com>: >> >> Benjamin would have balloted *DISCUSS* on this document. He wrote: >> >> This draft is close to ready, but it contains some elements that are not >> appropriate for IETF publication or lack IETF consensus. >> >> ## Section 1 >> >> Typo: “For example the user has a clear expectation of which resolvers have >> visibility of their query data however this...” -> Add a period before >> “however”. >> >> >> Barry suggested this and additional grammatical improvements which I will >> make. >> >> >> Inappropriate subject matter: >> >> It is an untested area that simply using a DNS >> resolution service constitutes consent from the user for the operator >> to process their query data. >> >> This is legal speculation, not appropriate for IETF. Strike this sentence. >> >> >> I think this is an important point to make and no-one has contested this >> at any point in the development of the draft (I suspect DPRIVE is a good >> audience for anyone who would know any different). >> >> RFC7626 already includes this text: >> “To our knowledge, there are no specific privacy laws for DNS data, in any >> country. Interpreting general privacy laws like >> [data-protection-directive] (European Union) in the context of DNS traffic >> data is not an easy task, and we do not know a court precedent here. See >> an interesting analysis in [sidn-entrada].” >> >> I’m more than happy to qualify the text in this document with a ’To our >> knowledge, '… >> > > I don't especially like the text in RFC 7626 either (do we really have IETF > consensus on the ease or difficulty of reading particular laws?). However, > I do think it's better than the text here. "We do not know of a court > precedent" is appropriately qualified, and the implied claim ("there is no > court precedent") is close to factual in nature. In contrast, "it is an > untested area" sounds less like a fact, and more like a legal opinion or > analysis offered by the IETF. How about: “We do not know of a court precedent relating to the question of whether simply using a DNS resolution service constitutes consent from the user for the operator to process their query data" > >> >> Clarity: >> >> Privacy considerations specifically >> from the perspective of an end user ... are out of scope. >> >> This seems confusing as written: surely it is the privacy of end users >> (and not >> of resolver operators) that this draft seeks to protect. Please rephrase >> or >> omit this disclaimer. >> >> >> I think this is trying to capture the point that there are additional >> general considerations for an end user that an operator cannot control. >> >> Suggest: >> “Privacy considerations specifically from the perspective of an end user >> (for example, choice of client software or resolver selection policies)...." >> > > I still don't understand. Perhaps "Choices that are made exclusively by > the end user ... are out of scope”? WFM. > > >> >> >> ## Section 5.1 >> >> Version skew: dprive-rfc7626-bis no longer has a Section 2.4.2 or 2.5.3. >> >> >> Ack - Ben K’s DISCUSS captures the problems with Section renumbering... >> >> >> ## Section 5.1.2 >> >> Clarity: Redirection of traffic to rogue servers does not match the usual >> definition of “surveillance”. I would suggest adding an explanation of how >> this active attack is a privacy threat. Presumably you are referring to >> merely >> intercepting the user’s DNS queries, as opposed to substituting modified >> DNS >> responses in order to monitor post-DNS network activity, but the text is >> not >> clear on this distinction. >> >> >> Is is potentially both - section 2.5.3 (Rogue servers) is now >> section 3.5.1.2 (Active Attacks on Resolver Configuration) >> in draft-ietf-dprive-rfc7626-bis-04 which describes the issues in detail. >> So I believe updating the bullet point to be >> >> * Active attacks on resolver configuration as described in >> [I-D.ietf-dprive-rfc7626-bis] Section 3.5.1.2 >> >> (or whatever that section ends up being numbered) should do it? >> > > OK. > >> >> >> ## Section 5.1.3.1 >> >> Current practices: I don’t think either EDNS(0) Keepalive or DNS Stateful >> Operations is currently in use with DNS-over-TLS, so this recommendation >> seems >> too strong for a BCP. For example, this could say “Management of TLS >> connections as described in RFC 7766. EDNS(0) Keepalive and DNS Stateful >> Operations may provide additional performance benefits.” >> >> >> The Stubby client implements Keepalive and several test servers also use >> it: >> https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ >> Admittedly none of the big anycast services use it. >> >> How about moving it to a ‘Additional option’? >> > > Sounds good to me. > > >> >> Moving DSO to a separate sentence as you describe seems correct though as >> I am not aware of any implementation of that. >> >> >> Scope: The optimizations here are performance optimizations, which seem >> out of >> place in this document. I would suggest focusing the document on >> “Encrypted >> DNS Service Privacy Recommendations”, and remove any recommendations >> related to >> performance and reliability, which are already well-covered by >> standards-track >> RFCs. >> >> ## Section 5.2.1 >> >> Content: I think there’s a missing mitigation here, which is employed >> virtually >> universally among large DNS Privacy deployments: IP erasure. DNS operators >> typically distinguish between PII-logs, which are retained at most >> briefly, and >> non-PII logs, which are retained for a longer period. I believe this is a >> best >> practice and worth documenting. >> >> >> I think it is currently there but a bit hidden in the distinction between >> transient and retained data and also : “ If data is retained it should be >> encrypted and either aggregated, pseudonymized, or anonymized whenever >> possible.” >> >> So bullet 1 could have the following sentence added: >> >> “Such transient data may be deemed to require inclusion of personal >> identifiers and should be handled with appropriate care.” >> >> and bullet two the following: >> >> “Data retained for any period of time should use data minimisation >> techniques to remove personal identifiers." >> > > Sure. I would say "such as IP addresses", since they are almost always the > only personal identifiers. Will do. > > >> >> >> >> ## Section 5.3.1 >> >> Document interaction: This section comes awfully close to updating or >> deprecating ECS, which we do not have IETF consensus for. I think the BCP >> here >> should restrict itself to disclosing the server’s ECS behavior and imposed >> prefix length limit. >> >> >> Ben K also made a comment on this... >> >> RFC7871 (which is only Informational) admits in the abstract that “... it >> has some known operational and privacy shortcomings” and section 2 >> suggests it should be disabled by default in client software and clients >> should be able to opt-out. >> >> The first bullet point (honouring the SOURCE PREFIX-LENGTH) is already >> specified in RFC8310. >> > > That bullet currently says "Honor a SOURCE PREFIX-LENGTH set to 0 ... and > not send an ECS option in upstream queries." This conjunction is > ambiguous. It also creates a needless technical conflict with RFC 7871, > which says "The subsequent Recursive Resolver query to the Authoritative > Nameserver will then either not include an ECS option or MAY optionally > include its own address information". > > I would suggest "Honor a SOURCE PREFIX-LENGTH set to 0 ([RFC 7871] Section > 7.1.2).", and avoid restating the required behavior. Yes - that works. > > This document also has only limited scope… I would say that this text has >> DPRIVE consensus for its application specifically to DNS privacy services.. >> > > All the other optimization sections are described as bare actions for the > operator to take. Only this one contains normative language. I would > suggest removing the "should”. This lower case ’should' is not intended as normative but happy to modify for clarity. Many thanks Sara. > > >> >> >> ## Section 6.1.1 >> >> Terminology: “PII” appears here for the first time, and is not defined. >> >> >> Alissa suggested replacing with the definition of personal data from RFC >> 6973, which seems better. >> >> Best regards >> >> Sara. >> >> > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] Alexey Melnikov's No Objection on d… Alexey Melnikov via Datatracker
- Re: [dns-privacy] Alexey Melnikov's No Objection … Sara Dickinson
- Re: [dns-privacy] Alexey Melnikov's No Objection … Ben Schwartz
- Re: [dns-privacy] Alexey Melnikov's No Objection … Sara Dickinson
- Re: [dns-privacy] Alexey Melnikov's No Objection … Ben Schwartz
- Re: [dns-privacy] Alexey Melnikov's No Objection … Vittorio Bertola