Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Tue, 02 November 2021 20:00 UTC
Return-Path: <rdd@cert.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E20883A091F; Tue, 2 Nov 2021 13:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLgZ_rmGjrRy; Tue, 2 Nov 2021 13:00:07 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0109.outbound.protection.office365.us [23.103.208.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 231233A0929; Tue, 2 Nov 2021 13:00:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ngdkH7IL8HwmAi4s9UXeN0qadv6AszNHdbzpJ6NV6n/gsrHWJ111WEgKAJ8XGRA4gKoxH73rf9nERslYY7pRCPFIUnzixgw/omXq4Vz4k/mn33eDFPjigxKWW4jx+5pqAuUIgUJCFFlydWvQviSkWtGtCEKCOj7TC0z7iE79CoYAugXz8mvIcjjsoCtj6AWg93cuUBkCIJ5UhWVBiIPh4nsuJjEjExgxyT7B2Yw4oJvj62kGAfMKukrzlYIwh5l2a0ZWDlwUzxYI81BQSzgO4lb5UHsHzUWTZhRQm0iYby2x5wINOWLNheFuRFDFdxfAzXsY+oMTUKkWLZAJVSy8RA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CZjGwcM8lI3QaupY/1I65ZXgngSINNcH3AgBSJg1p/E=; b=XGCgjKnG0EVjEyAQTCRA7Ijo+PFqtFLADDfFn8bIY/XaRe02qYdLYGL1Kc/OVFQm3V5ktvOFY1EOaiAnsjxXh5yv8ngPYZKBxabpE+27pQ+SjxH0/UlaWGVFR+FAD2x53/y+9XGd8mBL+916ZsmcQt75S5C0YdAoXS2epycDP2VnAwtQpJwG2PdQNStu5JfJWx6y6Zm9eEl3vwpwZabyPNzGVgeg0sjIDiuaLcGX3WO5RX/e3+orERYIUfZ7bUfV9huYKCFS5ucTY8bSmVoYwn6lWjzKhy7Dfl8IEht1JKax+Cisfz9SK+p2leuKu14CA2wbIEMTG6Ff4ibC1be2dQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CZjGwcM8lI3QaupY/1I65ZXgngSINNcH3AgBSJg1p/E=; b=I8RjQLAISit3k3C5kH6Y7qoWTNCvYyJb3srxYNRmvOSrYxxjx2gZ721k6ggccQzdouBruHp4UeB0XdDnwmJO+Vaic6lbgk+AWMrI2RMEvsmbWAk99NBdxL5SaEeuAPuOhEWfRCgC4N/q02Yi1Q+3IiU0gVcyidvrkqZ1K1nZMxw=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0940.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:135::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Tue, 2 Nov 2021 20:00:03 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4649.017; Tue, 2 Nov 2021 20:00:02 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
CC: "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Thread-Index: AQHXyewL3pO6LXt6p0qCt+FMoVdoqqvo+esAgAerEzA=
Date: Tue, 02 Nov 2021 20:00:02 +0000
Message-ID: <BN1P110MB093928DC42042BAE008E28C3DC8B9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
References: <163519932265.9299.10540555803853417218@ietfa.amsl.com> <AD0CE9D0-BF6B-49E4-98A3-FC7F3010843E@verisign.com>
In-Reply-To: <AD0CE9D0-BF6B-49E4-98A3-FC7F3010843E@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a1857261-c9aa-401a-7408-08d99e3b5bc1
x-ms-traffictypediagnostic: BN1P110MB0940:
x-microsoft-antispam-prvs: <BN1P110MB0940ECA4B64D14692691EEF1DC8B9@BN1P110MB0940.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tldfUauHoLfyziIim9TTM/UpDoYRBqDQbRu9eWLJ6RmZZ9cfIdwdYXwt+rjVCef3B7PlhpJx+U7j6p7gulWBpXi+qUVP2h1OuNUViu6Vm3Ityd1AQs1Hy/OD1GbnmAqSyDLNI+INa7oQRrOxvSZyLZJLRv8b6Q5Z7muH0fVeeQF/tP0pSW4c9LNPDkvOnH8pHgMhk3paYXiVLH5RzP+RULv2M3wMcVuJPbbNAlGsxCp+Mrvz5erUJ0OId78bJfa8ELw4Hjk9Cl+aK1n4XGQs0yVJJ62Mlpk6LcTLGlqSLkFKoqQuLXozL+kY/IA2NY5anVe1NlmMpcEdqdyS2rkNFgObfDoJul3kr4uIsT2xNE4r3xjhocAOrY4YCa4RFKTAGd+oEZvaCbHKi8LxFUTnREMnbzCRlxYoJZcTgVSosyGxGI1ECj5CF/Up4rzEOZwyb/BxByzqjGWnZ6pgxjcvtFpDMnS2cc3+bvDQH49a5hyhb4fit7DV8zR4+4OA963gXS+G/MPW8aqt35PL/M7byPH9I68iAyZo50+8B8oYq9V57+mNZPE3z647dG1NKGcdiETyrmPZzMsG31V1nq4ZwAT3ufA5vYVRThnEzOba59xiWaIKZyWCgtt5ZXHLVvyYnC3fI/JkD7EUyvHcwKpvuEYCcFUs4u0+Oc3pjWLxMQhBhHGmNI3URKGjOqHQeVsetfVWqIucqej9UVkmBieOzw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(76116006)(54906003)(66446008)(53546011)(66946007)(4326008)(71200400001)(6506007)(498600001)(55016002)(38070700005)(966005)(9686003)(66556008)(66476007)(7696005)(64756008)(8676002)(122000001)(66574015)(186003)(83380400001)(33656002)(82960400001)(86362001)(52536014)(38100700002)(5660300002)(2906002)(26005)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QwluG67VGu1UO6GrZ15Kw7DM5+UeHuae2mih/ODP+RvXpoRofgGDvgwLGswzSSySE77WQ41rgloOCcVk+6n8ovvrwTZsIHyGMkaWCEPwbCeLmKAeoa/Mgqu/wScNf1BEFUU2114syg9d+JUBJ0XPt0QORQKyjEa3bC3tbtTvhVcApYF4Ehpxdee4kZT55OSlw8RK1S38clGYkd3hVeXy0TbBgyJq+sgraJ8pIujwKO0OSPXwElhhVSlC51ezZrm7tbV73SQyub4gHrrfL+i5loaVFq989lA0EvNlSW0DBnu/ZNAf43N4i2onjqkoeEA7VN/QzQV+KXvnBO4KsotyyPsB9fhniVXlFdW2zwDQ4jRgbmm0oO/+RPb8cqs6OGRjd706BZFOOW73uKy6ppwaAH++PIuhri++/btCaWWTH4C49CJSdJMHT0BoXQVlP2ykOhntHdQb9Xt/UA9XqTfl64LvEKImvu4Y07h+874foOkvsuh83+NtKInXIj2D8abl9IdsrtvElG0gu8JH61FtJ9hAzjWQWsqmp43mIXQDY9/cN4tYWayLQi9GWrrfk+/LjMDMZ0nzSXFb/LSkVq/8ogmx5WAiBbLxFiyKQZZeE6FQw7OKb4oQ9KVDf1cIH69+n6UdnXzk5ezt0KcM0WGmjF0A+8Tqvwwt4H3Rl/xGK0+yv0aOu5CMYVHJZW45cjWqY7QgIllcbJFphrrfIvbCn7NeOunulKpGem5+2XUSzlU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a1857261-c9aa-401a-7408-08d99e3b5bc1
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2021 20:00:02.8220 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0940
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mPPmVmiktzqBJ3mYySLKP736uNU>
Subject: Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2021 20:00:13 -0000
Hi Duane! > -----Original Message----- > From: iesg <iesg-bounces@ietf.org> On Behalf Of Wessels, Duane > Sent: Thursday, October 28, 2021 5:58 PM > To: Roman Danyliw <rdd@cert.org> > Cc: draft-ietf-dnsop-dns-tcp-requirements@ietf.org; dnsop@ietf.org; Suzanne > Woolf <suzworldwide@gmail.com>; dnsop-chairs@ietf.org; The IESG > <iesg@ietf.org> > Subject: Re: Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp- > requirements-13: (with DISCUSS and COMMENT) > > Hi Roman, thanks for the review. My responses are inline. > > > On Oct 25, 2021, at 3:02 PM, Roman Danyliw via Datatracker > <noreply@ietf.org> wrote: > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > This document has a dedicated section for DNS over TLS, makes a number > > of configuration recommendations for DoT, and notes it in the Privacy > > Considerations. However, there is no mention of DNS over HTTPS (DoH). > > It seems like DoH should get similar treatment. > > Speaking only for myself, I am reluctant to include DoH in this draft. I feel that > TCP and TLS are similar enough that it makes sense to cover both, but DoH is > quite a bit different. No argument that DoH is a bit unlike the others. > If there is a concern that mentioning DoT is unfair and DoH should get equal > time then I would be in favor of discussing encrypted DNS transports more > generally, or perhaps even cutting back on encrypted transport references. I believe that if this draft is going to be the BCP to discuss DNS over TCP, all of the flavors of DNS over TCP need to be covered. I think it would be a disservice to the existing guidance to cut out discussion of encrypted transport. As you propose, I don't see a reason why the different encrypted transports couldn't be discussed together. I leave it to the deep expertise in the WG to ensure that nuances between DoT and DoH, when relevant, are called out. > But if Im in the minority here and the working group and IESG would like to see > DoH included then we can figure out what to say. > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thank you to Alan DeKok for the SECDIR review. > > > > ** Section 2.2. > > Yet, defying some expectations, DNS over TCP remained little-used in > > real traffic across the Internet around this time. > > > > This section doesn’t define a time period to associate with “… around > > this time”. > > Does “…in the late 1990s” work for you? Yes, thanks. > > > > > ** Section 2.2. > > Around the time > > DNSSEC was first defined, another new feature helped solidify UDP > > transport dominance for message transactions. > > > > Is that “new feature” EDNS(0) per Section 2.3? > > Yes, its a lead-in to the next section. Do you think the text needs to be > different here? No, you can leave the text as is. > > > > ** Section 2.5 > > Today, the majority of the DNS community expects, or at least has a > > desire, to see DNS over TCP transactions occur without interference. > > > > Is there a citation for this assertion? > > How about the 2020 DNS flag day? Https://dnsflagday.net/2020/ Works for me. > > ** Section 2.5. Per the use of [CHES94] and [DJBDNS] to motivate the > > position that DNS over TCP is not needed, are there more modern > > references? The former is from 1994, and the latter appears to be last > updated in 2002. > > I’m not aware of any newer, better references. It does show how long held > these beliefs are. No problem. I wanted to check. > > > > ** Section 3. > > Lastly, Section 1 of [RFC1536] is updated to eliminate the > > misconception that TCP is only useful for zone transfers. > > > > With what text is Section 1 of [RFC1536] updated? > > I suppose my suggestion would be to strike this sentence: > > UDP is, therefore, the chosen protocol for communication > though TCP is used for zone transfers. > > Later in section 1 there is a "Since UDP is used," which could be changed to > "When UDP is used," if necessary. Could you make it cleared exactly what is the old and new text relative to RFC1536. > > > > > ** Section 4.1. Consider adding a reference of SYN cookies. > > I added a reference to https://en.wikipedia.org/wiki/SYN_cookies I would recommend using Section 3.6 of RFC4987 instead. Everything else below looks good. Thanks. Regards, Roman > > > > ** Section 5.1. Does the term “DNS Wedgie” have to be used here given > > its use in American English as the name for a bullying practice? > > Judging from a google search > > (https://www.google.com/search?q="dns+wedgie") this document appears > to be inventing the term in the context of DNS. > > I’d like my coauthor John to chime in on this. > > > > > ** Section 6. Per “Furthermore, as with real TCP, …”, what is “real TCP”? > > Removed “as with real TCP” > > > > > > ** Section 9. > > Because TCP is somewhat more complex than UDP, some characteristics > > of a TCP conversation may enable fingerprinting and tracking that is > > not possible with UDP. > > > > Recommend being clearer on who is being fingerprinted – > > s/fingerprinting/DNS client fingerprinting/ > > Done. > > > > > > ** Section 9. The text “DNS over TLS or DTLS is the recommended way > > to achieve DNS privacy” seems rather soft on recommending encrypted DNS > of any flavor. > > Was there any WG conversation to same something stronger? > > I do not recall any discussions like that, especially that werent incorporated into > the draft. > > IMO making (stronger) recommendations about DNS privacy is starting to stray > from the purpose of this draft. > > > > > > > ** Section 9. The text mentions that TCP is more susceptible to > > fingerprinting. It would be also be worth mentioned that using DoH > > reduces susceptibility to traffic analysis. > > > This is tied to your DISCUSS point above. > > DW >
- [DNSOP] Roman Danyliw's Discuss on draft-ietf-dns… Roman Danyliw via Datatracker
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Wessels, Duane
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Ray Bellis
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Joe Abley
- Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf… Joe Abley