Re: [dns-privacy] I-D Action: draft-ietf-dprive-unilateral-probing-00.txt
Christian Huitema <huitema@huitema.net> Sun, 10 April 2022 18:57 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5461F3A0DE3 for <dns-privacy@ietfa.amsl.com>; Sun, 10 Apr 2022 11:57:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bSQlkCBw_fuV for <dns-privacy@ietfa.amsl.com>; Sun, 10 Apr 2022 11:57:47 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 351663A0DE1 for <dns-privacy@ietf.org>; Sun, 10 Apr 2022 11:57:46 -0700 (PDT)
Received: from xse266.mail2web.com ([66.113.197.12] helo=xse.mail2web.com) by mx257.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1ndckp-0009wk-6N for dns-privacy@ietf.org; Sun, 10 Apr 2022 20:57:45 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4Kc1T157Jvz9kc for <dns-privacy@ietf.org>; Sun, 10 Apr 2022 11:57:41 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1ndckn-0006eZ-JL for dns-privacy@ietf.org; Sun, 10 Apr 2022 11:57:41 -0700
Received: (qmail 3184 invoked from network); 10 Apr 2022 18:57:40 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.43.16]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dkg@fifthhorseman.net>; 10 Apr 2022 18:57:40 -0000
Content-Type: multipart/alternative; boundary="------------HWJyfOixbf55AAQpQUKLePu0"
Message-ID: <743bea81-873a-7099-3a6b-e894103a4a85@huitema.net>
Date: Sun, 10 Apr 2022 11:57:40 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
Content-Language: en-US
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Sara Dickinson <sara@sinodun.com>, dns-privacy@ietf.org
References: <164667566033.16942.15407079409764144071@ietfa.amsl.com> <F923A397-81EA-4C6B-87C9-571168FBE6E1@sinodun.com> <87ilrgkjjs.fsf@fifthhorseman.net>
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <87ilrgkjjs.fsf@fifthhorseman.net>
X-Originating-IP: 66.113.197.12
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zh2yKlFwkOJL4c32G0KduLVjVx0XVkNnHJMw/amoreOZ7E hUHx17PZVOhAE4w+JFV0JaV91OXBiolGJevyz5m8SxIRXVMlFuiz/acFNeeXtxN2fFxZWB9eYgpR BRu3UlDHMLIJYRi1cXH9Dbm+IxLVzObbL13a7/+AYM+EyQdmbnGFd932lfz+R/06O3Iy4amaVarp Z0LfU2AP/MzLXlymkVWClPVvbW5lVyQanRxw5hTHswbbB/ha+ZWrSAi8SkwqWAikMcSxTAWn8RCv ieGEqjG/gXZAaRh1X6LVetRf2ZYIiHqfCgG4wrA3w4/kQTYKxDHA9JN9J4k4XZq11JQkMemT4rxn nByU11Ftkqf3f/PF3GUV+KdBBqrnCX8j0Gi8Ksk+aedMfNWSnJswrtlNtZo3HPHi5Q+jjsF5dcBx ehWYzrkgsp4/Fysgb2cPV4IH0+lPwKr4i5mAANUcVraZYOaeuiH/yEdZH8S1+TgcJBOjh0vPxcQO jKKOrYIQYpwamUdylUIKhf3z2GAHxH7IBAaAB9SiL80iwHtGBZiikgJ7Yk+SWN8eNDNBlkTeVa1T /vuxUv0hdVtCQ1xjVQz7KK8qgoX3qtqBY7olcAAV8nYUYKqwGwZHdaZ8HwmXaEfTulJRptMnEIdG JW7dfhGq92PNDpgLsd6Ddd/s7VM53k5B0nFOyZ1luwLp/NVo4NwOtp+q3yU+z72+fnpodgpDAkUP gG8rP4yhKuES0Q4ln+6IYGu9yKN58cSvYsxHvUlmMRr+w2X69ygMahiTQMBdGpjsWmlb+TZjRORs JMbfpTheMPxghFsjIwINNqkbXC8q7fBXfwiTkcwbv0dB5b3yNR3oW5YiBYO7UVjw0gdRPrII++x6 YSSQfv2n7TJ4De1knRDjH7QY7Fm+gQ0M40rBtaly/uPaPGs4IuAYIIDnnmIMx2SsJMcYcfaTa1Z5 siYOS4qqjKkTvrhEiORgsEtrMS+4ayUpOtEhdxekWDmK9g==
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/uWE4loQKQdi4wDwr19C1LtLqEig>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-unilateral-probing-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Apr 2022 18:57:50 -0000
On 4/10/2022 9:08 AM, Daniel Kahn Gillmor wrote: >> - from a client perspective the concept of unilateral probing is >> pretty clear. There is a defined behavior for direct probing, which >> will be different from the behavior if 'external coordination' is >> available. >> >> - however servers can't know for sure how the client discovered them >> or how/if they are authenticating the connection. This document >> doesn't prescribe a way to know that a server is 'only' doing >> unilateral deployment and/or something else, hence the potential >> future issues with signalling. >> >> - given this draft is Informational and is designed to enable >> experiments I can't remember if there has already been discussion of >> using an 'alternative' ALPN for this initial deployment? By that I >> mean, use something like 'doq-p01’(DoQ probing 01) for these kind on >> connections (in the same way I-D tagged ALPNs are used during protocol >> development)? That way each side knows explicitly how to behave and >> statements like "An authoritative DNS server that wants to handle >> unilateral queries' would have clear meaning. Whilst this is taking >> liberties with ALPN and may have already been dismissed as an option, >> it does solve a number of problems in the short term and enable >> negotiation and evolution. Just asking:-) > This is an interesting question: the proposal to play games with ALPN > hasn't yet been raised to my knowledge. > > Due to ALPN's transport in the clear for a normal TLS handshake, i'd be > reluctant to endorse that use here. I don't think we want a network > observer to know which encrypted transports are opportunistic and which > are due to signalled information. > > I'm also trying to get my head around what such an indicator would be > useful for. Presumably the authoritative server would behave > differently based on that indicator, but i'm having a hard time > imagining what the authoritative server should do differently. Is it > just for statistics/accounting? Can you explain what you think the > purpose of such an indicator would be? I am not convinced that clients doing unilateral probing should signal it. After all, the goal of unilateral probing is to "just use encryption" without requiring specific signaling. Plus, in general, servers do not know why a specific request is sent to them, which specific NS record was accessed, whether a CNAME was involved, etc. Like DKG, I would be very reluctant to change the wire image and have visible differences between opportunistic and regular connections. This would invite differentiated treatment in routers and firewalls, which breaks the whole point of opportunistic discovery. But Sara has a point, we should give servers a way to control the deployment. Servers could very well be flooded with queries just after starting to test DoT and DoQ. We should address that by changing the server responses, not the client queries. For example, we might want to define an extended DNS error message rejecting a query because the capacity to process encrypted requests is exceeded. And we might want to specify that clients receiving such messages should stop unilateral attempts to use that server for a while. DoT or DoQ servers could use that to progressively enable the service for a fraction of their clients, maybe using some kind of filter based on the client's IP. -- Christian Huitema
- [dns-privacy] I-D Action: draft-ietf-dprive-unila… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Sara Dickinson
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Ilari Liusvaara
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Christian Huitema
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Christian Huitema
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor