Re: [dns-privacy] Mirja Kühlewind's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)

Sara Dickinson <sara@sinodun.com> Wed, 04 March 2020 13:30 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA5C3A0EF5; Wed, 4 Mar 2020 05:30:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Z_vlms3eAc2; Wed, 4 Mar 2020 05:30:12 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64AF13A0F2C; Wed, 4 Mar 2020 05:30:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=o7AU39vk8GflmbsXmC3whccjR10Zna+n5u/BOtCs3e8=; b=exNMmCiTKG8kxQ3kGH7mAOZm5j FlxTZveCrPUp6pR2flJhJQ+edAqAvPZaKhf2LQzzbT2O4dO54NGGPwWQn/ULq6kVzju/nIUXzd2w+ Cn+/Wy8afULrfPH9vAllhSvcAwpSBCXH14JEwoVyHI14g8FhBobXvtxcLbIr7oRIer69GuM6DdA8K IWZQ6YCPVX25I1tYZpJaTl+wzT4KKAHLnST8bJAubVUZSDlVjhU8K0Q0EIexvuClUjp1FuDOBVNC3 SLKQWEXcHssWPwmdYFCx0KQnUT9PiQB9BJuMfmdEEyWoXXEB+Qrlr86+RYrb5I1eLZW/3yl32yIzv 80qD9u6w==;
Received: from [2001:b98:204:102:fffa::2] (port=63226) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1j9U6A-0001Dt-OR; Wed, 04 Mar 2020 13:30:10 +0000
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <158046754020.21129.5801576555538640582.idtracker@ietfa.amsl.com>
Date: Wed, 4 Mar 2020 13:30:05 +0000
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-bcp-op@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dprive-chairs@ietf.org, dns-privacy@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B5C907C-84E8-43F8-929A-36F5C7C17FC0@sinodun.com>
References: <158046754020.21129.5801576555538640582.idtracker@ietfa.amsl.com>
To: =?utf-8?Q?Mirja_K=C3=BChlewind?= <ietf@kuehlewind.net>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/wH2ynO2uKELwgl8_VZvij6Sb664>
Subject: Re: [dns-privacy] =?utf-8?q?Mirja_K=C3=BChlewind=27s_No_Objection_on?= =?utf-8?q?_draft-ietf-dprive-bcp-op-08=3A_=28with_COMMENT=29?=
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 13:30:19 -0000


> On 31 Jan 2020, at 10:45, Mirja Kühlewind via Datatracker <noreply@ietf.org> wrote:
> 
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-dprive-bcp-op-08: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> A couple of small comments/questions:
> 
> 1) RFC2119/RFC8174 disclaimer is present in section 4, however, it does seem to
> be the case that normative language is used. I would recommend to actually use
> normative language in this doc!
> 

There is one key instance of a SHOULD in section 5 which ripples through the entire document because it covers the requirement for the various mitigations. 

“This document does not specify policy - only best practice, however
   for DNS Privacy services to be considered compliant with these best
   practice guidelines they SHOULD implement (where appropriate) all:"

It is easy to miss though…...

> 
> 2) Can you actually provide references for the techniques listed in Table 1?

Do you mean the Categorization/Properties or the actual techniques listed? The latter are described in detail in Appendix B.

> 
> 3) Sec 5.1.3.1:
> “A DNS-over-TLS privacy service on both port 853 and 443.  This
>      practice may not be possible if e.g. the operator deploys DoH on
>      the same IP address.”
> Isn’t 443 basically DoH?

No, this means using the DNS-over-TLS protocol, just on port 443 by prior agreement between client and server (RFC7858 describes this). No HTTPS involved.

> Why would you deploy DoT over 853?
> Is that a common practice? Sorry if I miss something…

Port 853 is the IANA assigned port for DoT. Before DoH was a thing, it was suggested that running DoT on 443 would prevent issues where port 853 might be blocked - several early DoT services did this. 

Best regards

Sara.