IETF Logo Mail Archive

Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)

"Wessels, Duane" <dwessels@verisign.com> Thu, 28 October 2021 21:58 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD6923A12A9; Thu, 28 Oct 2021 14:58:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8WDFFN5R2As; Thu, 28 Oct 2021 14:58:06 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E8093A12C3; Thu, 28 Oct 2021 14:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6516; q=dns/txt; s=VRSN; t=1635458287; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=MU7Bfy9jXS4ra84cSf2GC3VVmhFoUN3FRK6kRj+4UZU=; b=WywtGrqa0y3VzUUAVeS0fOrramcI6M5pz5BDwfQSx6v2n5C368Q3z5fg v7JGW6EktmHZirLMKEPM0QF/Y5tI54yh1KzClHWU1+8ksn25yEQ9McrD3 weopsraroJsWGXVqzNTayVPu8WQJ6GUPez4DWpaxSIrZ7rKtuSrcoYNDA 1UbTPj2J2Sq+YxMfQItNWOT6Lgt/5y/wpufYnWOJyzc0t9XQg6JiI2Xg+ N9RFHyktkaVlRr3aJeyuveP7QCHoGJdC4JWLcEJbIfDs2H8IVQ415xVFg giXbFfqS4c7VdOqgeBkdQOtSn68bUBQvGAYoWQezcBwZHXRRR8gnVwwGV Q==;
IronPort-SDR: /fKHo361MRE5bKZYzf8a1wsvMf0w4bDJXdRKoW7Yc4u/XzbQiv6SVHoP8mGm/fwysUtjJqr0bz v96RYwvTwiicM1Y+KYr12pPCCL35XfFDIc4CEZ2PaDkEW31uSby1+8VxtoYNJlRCh0u7UShwN3 MgY6/rbyh4H3jSJzD96D4HC3FkubJ4uXc2V1c6IJ3mvOT/4VHaw7R945+8zrPBZ4eMKeJ+VrUK 6qnJm5xQ7jycjmwTEA1UbxTYyL1QFFiaNB+upLq6p+8OpMZhZtsid15WLfotikOrpwjAU+NiTL vNM=
IronPort-Data: A9a23:E7aKgqBcquQtRRVW/zbiw5YqxClBgxIJ4kV8jS/XYbTApGgm0T1Wy mcbWj+BbPbcYGShLdEgYY3k9ElQ7Z7Qm4NnTANkpHpgcSlH+JHPbTi7wuccHM8zwunrFh8PA xA2M4GYRCwMo/y1Si6FatANl1ElvU2zbue6WLGs1hxZH1c+EX5500I7wIbVv6Yz6TSHK1LV0 T/Ni5CHULOV82Yc3rU8sv/rRLtH5ZweiRtA1rAMTakjUGz2zhH5OKkiyZSZdBMUdGX08tmSH I4vxJnhlo/Q10l1VoP9yt4XeGVSKlLZFVDmZna7x8FOK/WNz8A/+v9TCRYSVatYowmOmPRWz vxOj5C1bTkjEvWPodUiYgYNRkmSPYUekFPGCVKFl5Ws6WD2KyGq3f5pFllwNIFe5PxsBydF8 vlwxDIlN0jF3r3thuvmEa8w16zPL+GyVG8bkn1/wCrCAPI9aY7OWaTR5NBemjw3g6iiGN6HP 5FCMmQxMHwsZTVOCgw1NL9moNuhpTriSCJHmGiXiYsotj27IAtZleKF3MDuUsaGSe1ek1yE4 GXc8AzRAxwBO/SexCaLtHW2iYfnkTnyVp5XFbCk+LtmhkaU3ikfDgZTSVCj5OO0k1O/Qd9aJ koI4QIvoLQ8skuxQbHVUxujp2bBtR4VWsBLO+w39A/LzbDbiy6VAHMDVhZAZcAo8sgsSlQCz UKbgNTzATBwsbGYYX2Y/7aQ6zi1PEAowXQqbzUCFBQD7sm7+sQokAiJS9d4VaSyyNfvH2i23 SqRqm41gLB7YdM36phXNGvv21qEzqUlhCZsjukLdgpJNj9EWbM=
IronPort-HdrOrdr: A9a23:Qki8haMlAhv2c8BcThyjsMiBIKoaSvp037BN7TEVdfU1SL37qy nAppQmPHPP5gr5O0tOpTnoAsDpfZq2z+8X3WB+B9afdTijlmeuIJpr8IfuhxbxcheTysdtkY NtabJ3BtG1L1Rr5PyR3CCIV/It2sOO/qztv/rZ1HsFd2xXQrtt9Bh0ETyWFUBKRA1LbKBTKK ah
X-IronPort-AV: E=Sophos;i="5.87,191,1631577600"; d="scan'208";a="10333664"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.15; Thu, 28 Oct 2021 17:58:04 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2308.015; Thu, 28 Oct 2021 17:58:04 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Roman Danyliw <rdd@cert.org>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>
Thread-Topic: [EXTERNAL] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Thread-Index: AQHXzEbiZfLCfXYv5E6UQ8A6iE73bg==
Date: Thu, 28 Oct 2021 21:58:04 +0000
Message-ID: <AD0CE9D0-BF6B-49E4-98A3-FC7F3010843E@verisign.com>
References: <163519932265.9299.10540555803853417218@ietfa.amsl.com>
In-Reply-To: <163519932265.9299.10540555803853417218@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A8F6430B691FA848A01B917082E77F20@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/skHvMXehA910LfgJ05mxnLVlgao>
Subject: Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2021 21:58:12 -0000

Hi Roman, thanks for the review.  My responses are inline.

> On Oct 25, 2021, at 3:02 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> This document has a dedicated section for DNS over TLS, makes a number of
> configuration recommendations for DoT, and notes it in the Privacy
> Considerations.  However, there is no mention of DNS over HTTPS (DoH).  It
> seems like DoH should get similar treatment.

Speaking only for myself, I am reluctant to include DoH in this draft.  I
feel that TCP and TLS are similar enough that it makes sense to cover both,
but DoH is quite a bit different.

If there is a concern that mentioning DoT is unfair and DoH should get
equal time then I would be in favor of discussing encrypted DNS transports
more generally, or perhaps even cutting back on encrypted transport
references.

But if Im in the minority here and the working group and IESG would like
to see DoH included then we can figure out what to say.

> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you to Alan DeKok for the SECDIR review.
> 
> ** Section 2.2.
>   Yet, defying some expectations, DNS over TCP remained little-used in
>   real traffic across the Internet around this time.
> 
> This section doesn’t define a time period to associate with “… around this
> time”.

Does “…in the late 1990s” work for you?

> 
> ** Section 2.2.
>   Around the time
>   DNSSEC was first defined, another new feature helped solidify UDP
>   transport dominance for message transactions.
> 
> Is that “new feature” EDNS(0) per Section 2.3?

Yes, its a lead-in to the next section.  Do you think the text needs to be different here?


> 
> ** Section 2.5
>   Today, the majority of the DNS community expects, or at least has a
>   desire, to see DNS over TCP transactions occur without interference.
> 
> Is there a citation for this assertion?

How about the 2020 DNS flag day?  Https://dnsflagday.net/2020/


> 
> ** Section 2.5.  Per the use of [CHES94] and [DJBDNS] to motivate the position
> that DNS over TCP is not needed, are there more modern references?  The former
> is from 1994, and the latter appears to be last updated in 2002.

I’m not aware of any newer, better references.  It does show how long held these beliefs are.

> 
> ** Section 3.
>   Lastly, Section 1 of [RFC1536] is updated to eliminate the
>   misconception that TCP is only useful for zone transfers.
> 
> With what text is Section 1 of [RFC1536] updated?

I suppose my suggestion would be to strike this sentence:

   UDP is, therefore, the chosen protocol for communication
   though TCP is used for zone transfers.

Later in section 1 there is a "Since UDP is used," which could be changed
to "When UDP is used," if necessary.


> 
> ** Section 4.1.  Consider adding a reference of SYN cookies.

I added a reference to https://en.wikipedia.org/wiki/SYN_cookies

> 
> ** Section 5.1.  Does the term “DNS Wedgie” have to be used here given its use
> in American English as the name for a bullying practice?  Judging from a google
> search (https://www.google.com/search?q="dns+wedgie"), this document appears to
> be inventing the term in the context of DNS.

I’d like my coauthor John to chime in on this.

> 
> ** Section 6.  Per “Furthermore, as with real TCP, …”, what is “real TCP”?

Removed “as with real TCP”


> 
> ** Section 9.
>   Because TCP is somewhat more complex than UDP, some characteristics
>   of a TCP conversation may enable fingerprinting and tracking that is
>   not possible with UDP.
> 
> Recommend being clearer on who is being fingerprinted – s/fingerprinting/DNS
> client fingerprinting/

Done.


> 
> ** Section 9.  The text “DNS over TLS or DTLS is the recommended way to achieve
> DNS privacy” seems rather soft on recommending encrypted DNS of any flavor. 
> Was there any WG conversation to same something stronger?

I do not recall any discussions like that, especially that werent incorporated
into the draft.

IMO making (stronger) recommendations about DNS privacy is starting to
stray from the purpose of this draft.



> 
> ** Section 9.  The text mentions that TCP is more susceptible to
> fingerprinting.  It would be also be worth mentioned that using DoH reduces
> susceptibility to traffic analysis.


This is tied to your DISCUSS point above.

DW

v2.23.0 | Report a Bug | By Email