Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Tue, 02 November 2021 20:00 UTC

Return-Path: <rdd@cert.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E20883A091F; Tue, 2 Nov 2021 13:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLgZ_rmGjrRy; Tue, 2 Nov 2021 13:00:07 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0109.outbound.protection.office365.us [23.103.208.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 231233A0929; Tue, 2 Nov 2021 13:00:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ngdkH7IL8HwmAi4s9UXeN0qadv6AszNHdbzpJ6NV6n/gsrHWJ111WEgKAJ8XGRA4gKoxH73rf9nERslYY7pRCPFIUnzixgw/omXq4Vz4k/mn33eDFPjigxKWW4jx+5pqAuUIgUJCFFlydWvQviSkWtGtCEKCOj7TC0z7iE79CoYAugXz8mvIcjjsoCtj6AWg93cuUBkCIJ5UhWVBiIPh4nsuJjEjExgxyT7B2Yw4oJvj62kGAfMKukrzlYIwh5l2a0ZWDlwUzxYI81BQSzgO4lb5UHsHzUWTZhRQm0iYby2x5wINOWLNheFuRFDFdxfAzXsY+oMTUKkWLZAJVSy8RA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CZjGwcM8lI3QaupY/1I65ZXgngSINNcH3AgBSJg1p/E=; b=XGCgjKnG0EVjEyAQTCRA7Ijo+PFqtFLADDfFn8bIY/XaRe02qYdLYGL1Kc/OVFQm3V5ktvOFY1EOaiAnsjxXh5yv8ngPYZKBxabpE+27pQ+SjxH0/UlaWGVFR+FAD2x53/y+9XGd8mBL+916ZsmcQt75S5C0YdAoXS2epycDP2VnAwtQpJwG2PdQNStu5JfJWx6y6Zm9eEl3vwpwZabyPNzGVgeg0sjIDiuaLcGX3WO5RX/e3+orERYIUfZ7bUfV9huYKCFS5ucTY8bSmVoYwn6lWjzKhy7Dfl8IEht1JKax+Cisfz9SK+p2leuKu14CA2wbIEMTG6Ff4ibC1be2dQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CZjGwcM8lI3QaupY/1I65ZXgngSINNcH3AgBSJg1p/E=; b=I8RjQLAISit3k3C5kH6Y7qoWTNCvYyJb3srxYNRmvOSrYxxjx2gZ721k6ggccQzdouBruHp4UeB0XdDnwmJO+Vaic6lbgk+AWMrI2RMEvsmbWAk99NBdxL5SaEeuAPuOhEWfRCgC4N/q02Yi1Q+3IiU0gVcyidvrkqZ1K1nZMxw=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0940.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:135::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Tue, 2 Nov 2021 20:00:03 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4649.017; Tue, 2 Nov 2021 20:00:02 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
CC: "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Thread-Index: AQHXyewL3pO6LXt6p0qCt+FMoVdoqqvo+esAgAerEzA=
Date: Tue, 02 Nov 2021 20:00:02 +0000
Message-ID: <BN1P110MB093928DC42042BAE008E28C3DC8B9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
References: <163519932265.9299.10540555803853417218@ietfa.amsl.com> <AD0CE9D0-BF6B-49E4-98A3-FC7F3010843E@verisign.com>
In-Reply-To: <AD0CE9D0-BF6B-49E4-98A3-FC7F3010843E@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a1857261-c9aa-401a-7408-08d99e3b5bc1
x-ms-traffictypediagnostic: BN1P110MB0940:
x-microsoft-antispam-prvs: <BN1P110MB0940ECA4B64D14692691EEF1DC8B9@BN1P110MB0940.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tldfUauHoLfyziIim9TTM/UpDoYRBqDQbRu9eWLJ6RmZZ9cfIdwdYXwt+rjVCef3B7PlhpJx+U7j6p7gulWBpXi+qUVP2h1OuNUViu6Vm3Ityd1AQs1Hy/OD1GbnmAqSyDLNI+INa7oQRrOxvSZyLZJLRv8b6Q5Z7muH0fVeeQF/tP0pSW4c9LNPDkvOnH8pHgMhk3paYXiVLH5RzP+RULv2M3wMcVuJPbbNAlGsxCp+Mrvz5erUJ0OId78bJfa8ELw4Hjk9Cl+aK1n4XGQs0yVJJ62Mlpk6LcTLGlqSLkFKoqQuLXozL+kY/IA2NY5anVe1NlmMpcEdqdyS2rkNFgObfDoJul3kr4uIsT2xNE4r3xjhocAOrY4YCa4RFKTAGd+oEZvaCbHKi8LxFUTnREMnbzCRlxYoJZcTgVSosyGxGI1ECj5CF/Up4rzEOZwyb/BxByzqjGWnZ6pgxjcvtFpDMnS2cc3+bvDQH49a5hyhb4fit7DV8zR4+4OA963gXS+G/MPW8aqt35PL/M7byPH9I68iAyZo50+8B8oYq9V57+mNZPE3z647dG1NKGcdiETyrmPZzMsG31V1nq4ZwAT3ufA5vYVRThnEzOba59xiWaIKZyWCgtt5ZXHLVvyYnC3fI/JkD7EUyvHcwKpvuEYCcFUs4u0+Oc3pjWLxMQhBhHGmNI3URKGjOqHQeVsetfVWqIucqej9UVkmBieOzw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(76116006)(54906003)(66446008)(53546011)(66946007)(4326008)(71200400001)(6506007)(498600001)(55016002)(38070700005)(966005)(9686003)(66556008)(66476007)(7696005)(64756008)(8676002)(122000001)(66574015)(186003)(83380400001)(33656002)(82960400001)(86362001)(52536014)(38100700002)(5660300002)(2906002)(26005)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QwluG67VGu1UO6GrZ15Kw7DM5+UeHuae2mih/ODP+RvXpoRofgGDvgwLGswzSSySE77WQ41rgloOCcVk+6n8ovvrwTZsIHyGMkaWCEPwbCeLmKAeoa/Mgqu/wScNf1BEFUU2114syg9d+JUBJ0XPt0QORQKyjEa3bC3tbtTvhVcApYF4Ehpxdee4kZT55OSlw8RK1S38clGYkd3hVeXy0TbBgyJq+sgraJ8pIujwKO0OSPXwElhhVSlC51ezZrm7tbV73SQyub4gHrrfL+i5loaVFq989lA0EvNlSW0DBnu/ZNAf43N4i2onjqkoeEA7VN/QzQV+KXvnBO4KsotyyPsB9fhniVXlFdW2zwDQ4jRgbmm0oO/+RPb8cqs6OGRjd706BZFOOW73uKy6ppwaAH++PIuhri++/btCaWWTH4C49CJSdJMHT0BoXQVlP2ykOhntHdQb9Xt/UA9XqTfl64LvEKImvu4Y07h+874foOkvsuh83+NtKInXIj2D8abl9IdsrtvElG0gu8JH61FtJ9hAzjWQWsqmp43mIXQDY9/cN4tYWayLQi9GWrrfk+/LjMDMZ0nzSXFb/LSkVq/8ogmx5WAiBbLxFiyKQZZeE6FQw7OKb4oQ9KVDf1cIH69+n6UdnXzk5ezt0KcM0WGmjF0A+8Tqvwwt4H3Rl/xGK0+yv0aOu5CMYVHJZW45cjWqY7QgIllcbJFphrrfIvbCn7NeOunulKpGem5+2XUSzlU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a1857261-c9aa-401a-7408-08d99e3b5bc1
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2021 20:00:02.8220 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0940
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mPPmVmiktzqBJ3mYySLKP736uNU>
Subject: Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2021 20:00:13 -0000

Hi Duane!

> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Wessels, Duane
> Sent: Thursday, October 28, 2021 5:58 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: draft-ietf-dnsop-dns-tcp-requirements@ietf.org; dnsop@ietf.org; Suzanne
> Woolf <suzworldwide@gmail.com>; dnsop-chairs@ietf.org; The IESG
> <iesg@ietf.org>
> Subject: Re: Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-
> requirements-13: (with DISCUSS and COMMENT)
> 
> Hi Roman, thanks for the review.  My responses are inline.
> 
> > On Oct 25, 2021, at 3:02 PM, Roman Danyliw via Datatracker
> <noreply@ietf.org> wrote:
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > This document has a dedicated section for DNS over TLS, makes a number
> > of configuration recommendations for DoT, and notes it in the Privacy
> > Considerations.  However, there is no mention of DNS over HTTPS (DoH).
> > It seems like DoH should get similar treatment.
> 
> Speaking only for myself, I am reluctant to include DoH in this draft.  I feel that
> TCP and TLS are similar enough that it makes sense to cover both, but DoH is
> quite a bit different.

No argument that DoH is a bit unlike the others.

> If there is a concern that mentioning DoT is unfair and DoH should get equal
> time then I would be in favor of discussing encrypted DNS transports more
> generally, or perhaps even cutting back on encrypted transport references.

I believe that if this draft is going to be the BCP to discuss DNS over TCP, all of the flavors of DNS over TCP need to be covered.  I think it would be a disservice to the existing guidance to cut out discussion of encrypted transport.  As you propose, I don't see a reason why the different encrypted transports couldn't be discussed together.  I leave it to the deep expertise in the WG to ensure that nuances between DoT and DoH, when relevant, are called out.

> But if Im in the minority here and the working group and IESG would like to see
> DoH included then we can figure out what to say.
> 
> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > Thank you to Alan DeKok for the SECDIR review.
> >
> > ** Section 2.2.
> >   Yet, defying some expectations, DNS over TCP remained little-used in
> >   real traffic across the Internet around this time.
> >
> > This section doesn’t define a time period to associate with “… around
> > this time”.
> 
> Does “…in the late 1990s” work for you?

Yes, thanks.

> 
> >
> > ** Section 2.2.
> >   Around the time
> >   DNSSEC was first defined, another new feature helped solidify UDP
> >   transport dominance for message transactions.
> >
> > Is that “new feature” EDNS(0) per Section 2.3?
> 
> Yes, its a lead-in to the next section.  Do you think the text needs to be
> different here?

No, you can leave the text as is.

> >
> > ** Section 2.5
> >   Today, the majority of the DNS community expects, or at least has a
> >   desire, to see DNS over TCP transactions occur without interference.
> >
> > Is there a citation for this assertion?
> 
> How about the 2020 DNS flag day?  Https://dnsflagday.net/2020/

Works for me.

> > ** Section 2.5.  Per the use of [CHES94] and [DJBDNS] to motivate the
> > position that DNS over TCP is not needed, are there more modern
> > references?  The former is from 1994, and the latter appears to be last
> updated in 2002.
> 
> I’m not aware of any newer, better references.  It does show how long held
> these beliefs are.

No problem.  I wanted to check.

> >
> > ** Section 3.
> >   Lastly, Section 1 of [RFC1536] is updated to eliminate the
> >   misconception that TCP is only useful for zone transfers.
> >
> > With what text is Section 1 of [RFC1536] updated?
> 
> I suppose my suggestion would be to strike this sentence:
> 
>    UDP is, therefore, the chosen protocol for communication
>    though TCP is used for zone transfers.
> 
> Later in section 1 there is a "Since UDP is used," which could be changed to
> "When UDP is used," if necessary.

Could you make it cleared exactly what is the old and new text relative to RFC1536.

> 
> >
> > ** Section 4.1.  Consider adding a reference of SYN cookies.
> 
> I added a reference to https://en.wikipedia.org/wiki/SYN_cookies

I would recommend using Section 3.6 of RFC4987 instead.

Everything else below looks good.  Thanks.

Regards,
Roman

> >
> > ** Section 5.1.  Does the term “DNS Wedgie” have to be used here given
> > its use in American English as the name for a bullying practice?
> > Judging from a google search
> > (https://www.google.com/search?q="dns+wedgie") this document appears
> to be inventing the term in the context of DNS.
> 
> I’d like my coauthor John to chime in on this.
> 
> >
> > ** Section 6.  Per “Furthermore, as with real TCP, …”, what is “real TCP”?
> 
> Removed “as with real TCP”
> 
> 
> >
> > ** Section 9.
> >   Because TCP is somewhat more complex than UDP, some characteristics
> >   of a TCP conversation may enable fingerprinting and tracking that is
> >   not possible with UDP.
> >
> > Recommend being clearer on who is being fingerprinted –
> > s/fingerprinting/DNS client fingerprinting/
> 
> Done.
> 
> 
> >
> > ** Section 9.  The text “DNS over TLS or DTLS is the recommended way
> > to achieve DNS privacy” seems rather soft on recommending encrypted DNS
> of any flavor.
> > Was there any WG conversation to same something stronger?
> 
> I do not recall any discussions like that, especially that werent incorporated into
> the draft.
> 
> IMO making (stronger) recommendations about DNS privacy is starting to stray
> from the purpose of this draft.
> 
> 
> 
> >
> > ** Section 9.  The text mentions that TCP is more susceptible to
> > fingerprinting.  It would be also be worth mentioned that using DoH
> > reduces susceptibility to traffic analysis.
> 
> 
> This is tied to your DISCUSS point above.
> 
> DW
>