[DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Mon, 25 October 2021 22:02 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A7B623A100D; Mon, 25 Oct 2021 15:02:02 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-dns-tcp-requirements@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, Suzanne Woolf <suzworldwide@gmail.com>, suzworldwide@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.39.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <163519932265.9299.10540555803853417218@ietfa.amsl.com>
Date: Mon, 25 Oct 2021 15:02:02 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/h3dG9VAEzMUFb4JGSOIxHNyCnvc>
Subject: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 22:02:10 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-dnsop-dns-tcp-requirements-13: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


This document has a dedicated section for DNS over TLS, makes a number of
configuration recommendations for DoT, and notes it in the Privacy
Considerations.  However, there is no mention of DNS over HTTPS (DoH).  It
seems like DoH should get similar treatment.


Thank you to Alan DeKok for the SECDIR review.

** Section 2.2.
   Yet, defying some expectations, DNS over TCP remained little-used in
   real traffic across the Internet around this time.

This section doesn’t define a time period to associate with “… around this

** Section 2.2.
   Around the time
   DNSSEC was first defined, another new feature helped solidify UDP
   transport dominance for message transactions.

Is that “new feature” EDNS(0) per Section 2.3?

** Section 2.5
   Today, the majority of the DNS community expects, or at least has a
   desire, to see DNS over TCP transactions occur without interference.

Is there a citation for this assertion?

** Section 2.5.  Per the use of [CHES94] and [DJBDNS] to motivate the position
that DNS over TCP is not needed, are there more modern references?  The former
is from 1994, and the latter appears to be last updated in 2002.

** Section 3.
   Lastly, Section 1 of [RFC1536] is updated to eliminate the
   misconception that TCP is only useful for zone transfers.

With what text is Section 1 of [RFC1536] updated?

** Section 4.1.  Consider adding a reference of SYN cookies.

** Section 5.1.  Does the term “DNS Wedgie” have to be used here given its use
in American English as the name for a bullying practice?  Judging from a google
search (https://www.google.com/search?q="dns+wedgie"), this document appears to
be inventing the term in the context of DNS.

** Section 6.  Per “Furthermore, as with real TCP, …”, what is “real TCP”?

** Section 9.
   Because TCP is somewhat more complex than UDP, some characteristics
   of a TCP conversation may enable fingerprinting and tracking that is
   not possible with UDP.

Recommend being clearer on who is being fingerprinted – s/fingerprinting/DNS
client fingerprinting/

** Section 9.  The text “DNS over TLS or DTLS is the recommended way to achieve
DNS privacy” seems rather soft on recommending encrypted DNS of any flavor. 
Was there any WG conversation to same something stronger?

** Section 9.  The text mentions that TCP is more susceptible to
fingerprinting.  It would be also be worth mentioned that using DoH reduces
susceptibility to traffic analysis.