Re: [dns-privacy] Francesca Palombini's No Objection on draft-ietf-dprive-dnsoquic-10: (with COMMENT)
Sara Dickinson <sara@sinodun.com> Tue, 22 March 2022 10:02 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DC33A0DD3; Tue, 22 Mar 2022 03:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TB88OqMr3Q16; Tue, 22 Mar 2022 03:02:35 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADCC13A0D8F; Tue, 22 Mar 2022 03:02:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=RY1swY1L5aU7HpD888FP4jQNZm1GEIuXTB6445pQvaE=; b=nycITIp/yYAn68iMPB1NZTjtOD PrOixW9zZEXUv0aGnGGfpdSN66j7xX1rzF01wOpGH15ItxeLheVFTWHmQRxZUOrXGv1Bv3cqy1sMM KpXlYz5hbdn0ZhHQTmHaKHzDKRIUo2nBDwUbHSunAm6B1ifnXlrs36xPtlyb380jtDD4mJIUQ++/X +Ukh6S0qHDgeeFjbwFCZYpfctTvk4s/SVUZQQI+NE68+/PKpeSHFe9VU+I3qXa6LHsF+UnGpfEe+J r4qvBI4MJbdYjZQT5H+VIWu7/a0EEn72uun2KVqcGMNnizGZILF+QzEQ+srGvFl73fREHnyYW8dRF gDPml5vQ==;
Received: from 82-68-3-134.dsl.in-addr.zen.co.uk ([82.68.3.134]:19004 helo=smtpclient.apple) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1nWazL-0005yF-Nd; Tue, 22 Mar 2022 09:39:39 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <164686749934.27267.11756879686892514537@ietfa.amsl.com>
Date: Tue, 22 Mar 2022 09:39:37 +0000
Cc: The IESG <iesg@ietf.org>, draft-ietf-dprive-dnsoquic@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, brian@innovationslab.net
Content-Transfer-Encoding: quoted-printable
Message-Id: <3A831B16-4BF3-454F-9558-D4A8BAE927A8@sinodun.com>
References: <164686749934.27267.11756879686892514537@ietfa.amsl.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/z7h8thw3JTtyvBS9f-jWO-lT338>
Subject: Re: [dns-privacy] Francesca Palombini's No Objection on draft-ietf-dprive-dnsoquic-10: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 10:02:40 -0000
> On 9 Mar 2022, at 23:11, Francesca Palombini via Datatracker <noreply@ietf.org> wrote: > > Francesca Palombini has entered the following ballot position for > draft-ietf-dprive-dnsoquic-10: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsoquic/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for the work on this document, I only have two comments below. Hi Francesca, Many thanks for the comments - please see the updates in version -11 which was just published, which we hope address your comments. > > Francesca > > 1. ----- > > 443 is less likely to be blocked than other ports. Several > mechanisms for stubs to discover recursives offering encrypted > transports, including the use of custom ports, are the subject of > ongoing work. > > and > > For the recursive resolver to authoritative nameserver scenario, > authentication requirements are unspecified at the time of writing > and are the subject on ongoing work in the DPRIVE WG. > > FP: Are there (informative) references you can point the reader to? For the first, we’ve simply updated the text to: “ since port 443 is used by many services using QUIC and HTTP-3 and thus less likely to be blocked than other ports. “ For the second, we did include various references to ongoing recursive-auth work in earlier versions but as the churn was so high we agreed with previous reviewers to remove them. It is still the case that that work in in flux so I’m very hesitant to add anything back in. > > 2. ---- > > If a peer encounters such an error condition it is considered a fatal > error. It SHOULD forcibly abort the connection using QUIC's > CONNECTION_CLOSE mechanism, and SHOULD use the DoQ error code > DOQ_PROTOCOL_ERROR. > > FP: Just seeing now that Alvaro has the same comment here - it would make sense > to state why the first SHOULD is not a MUST. What is the exception where it > would make sense that the peer does not abort the connection? Or is it the > CONNECTION_CLOSE mechanism that can be skipped in some cases, so the "SHOULD" > apply only to that mechanism and not to the abort? Some more text here would be > useful. Yes - same comment from Alvaro. We updated to: "In some cases, it MAY instead silently abandon the connection, which uses fewer of the local resources but makes debugging at the offending node more difficult.” Best regards Sara.
- [dns-privacy] Francesca Palombini's No Objection … Francesca Palombini via Datatracker
- Re: [dns-privacy] Francesca Palombini's No Object… Sara Dickinson