Re: [Last-Call] [dns-privacy] Genart last call review of draft-ietf-dprive-bcp-op-07

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 29 Dec 2019, at 13:50, Mohit Sethi via Datatracker <noreply@xxxxxxxx> wrote:

Reviewer: Mohit Sethi
Review result: On the Right Track

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair.  Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-dprive-bcp-op-07
Reviewer: Mohit Sethi
Review Date: 2019-12-29
IETF LC End Date: 2020-01-02
IESG Telechat date: Not scheduled for a telechat

Summary:
This draft discusses privacy challenges for recursive DNS resolvers. It then
describes policy and security considerations that DNS service providers can use
for enhanced user privacy. The draft is 'On the Right Track' but not yet ready.

Many thanks for the detailed review! Ben, Rob I hope theses fixes also address your comments.


Major issues:

I wonder if section 5.1.2.1/5.1.3.1 should also talk about recommending OCSP
stapling (RFC 6066)? I looked at RFC 8310 and it mentions RFC 7525. Do you want
to mention it here in section 5.1.2.1/5.1.3.1?

What exactly are you thinking of here - something that just says “Server operators should also follow the best practices with regard to OCSP as described in RFC7525”? If something more could you please suggest text?


In section 5.1.2.1, what is meant by 'authentication domain names'? Later, the
text says 'authentication name for the service'. I guess you are implying the
authentic domain name of the DNS resolver service that the client software
should verify through the common name (CN) in the certificate? Some more
explanation here would be beneficial.

It is defined in the terminology section of RFC8310:

"Authentication domain name: A domain name that can be used to authenticate a privacy-enabling DNS server.  Sources of authentication domain names are discussed in Section 7."

I have added a reference for RFC8310 after the first use of ‘authentication domain name’ and made sure every instance of 'authentication name' is updated to 'authentication domain name' for clarity.


In section 5.1.4, should 'DNS Roadblock avoidance' be 'DNSSEC Roadblock
avoidance'? And please add a reference to RFC 8027 here if that is the case.

Yes, good catch - will do. 


Section 5.1.7 says "discussion on the use of Bloom Filters in Appendix A". It
is pointing to the wrong appendix. 

Fixed - thanks.

Also, this section talks about implementing
traffic monitoring by the DNS service provider. I would argue that in most
deployments, the traffic monitoring is required (and implemented) by a
different entity. Think of a home network router that has a parental control.
Or an enterprise restricting employees from visiting certain sites (to prevent
insider attacks)? The impact of encryption is more serious for them and less so
for a DNS service provider. What is the BCP advice for them? 

You are correct that the there are differing concerns but I don’t believe this document should tackle that - the audience of the document is specifically operators of DNS privacy services, typically monitoring to prevent DDoS or similar, not network operators in general (although they may be both in some cases). For the more general case I think the impact is covered in RFC8404 'Effects of Pervasive Encryption on Operators’?

I do notice a couple of places where just ‘operators’ is used in the text so could add ‘DNS Privacy Service’ before that to clarify?

Also, is it fair
to say that this is a best current practice? It feels that we need more
experience before we start recommending it as an optimization.

Given the specific scope discussed above I think it is fair. The privacy policies of most of the public resolver operators and ISPs that offer encrypted DNS are pretty good today in terms of how they try to minimise the user data retained and I’m sure they all still have monitoring in place… 


This comment applies to all 5.1.1-5.1.8. Each subsection starts rather abruptly
by discussing threats. It would be nice if you add a sentence at the beginning
of each sub-section telling the reader what are they heading into. This is
probably most obvious from section 5.1.8. Without even telling the reader what
is a pure TLS proxy, you start listing the DNS privacy threats. Only later on
you mention option that operators may implement DNS-over-TLS using a TLS proxy.

If we go down this road then I think to be consistent we would need to add text for all 16 sections 5.1.1 to 5.3.3. I could do this but I have a feeling it would be come quite repetitive with respect to the section title text and I think if we could get the titles correct (and possibly add more text to section 5) this might be unnecessary. I suggest:

Section 5: Add a first paragraph:
“In the following sections we first outline the threats relevant to the specific topic and then discuss the potential actions that can be taken to mitigate them.”

And for section 5.1.8 change the title to “Limitations of fronting a DNS Privacy Service with a pure TLS proxy”.
Happy to update any other headers you thought too vague. 

Would that address the issue or do you still think additional text is required?


In section 5.3.2 'way and OUGHT obfuscate'. OUGHT is not part of RFC 2119/8174.
Why is it capitalized? And, 'ought' ought to be followed by a 'to’.

I was confused by this and then realised it is a hangover from a much earlier version of the draft that used EXPECTED/OUGHT/MIGHT keywords defined in the draft to described the various levels of actions…. so as you suggest:

OLD: “For example, a resolver with a very small community of users risks exposing data in this way and OUGHT obfuscate this...”

NEW: “For example, a resolver with a very small community of users risks exposing data in this way and ought to obfuscate this..."


At the beginning of section 5, you describe three classes of actions. However,
none of the subsections contain clear "Additional options" that operators need
to follow for "maximal compliance”?

Sections 5.3.1 and 5.3.2 do have them. In earlier versions several more sections but they have been removed. 


The document seems focused on TLS 1.2 (and does not talk about TLS 1.3). In
fact, RFC 8446 is not even in the list of references even though section
5.1.3.1 mentions it. Similarly, Appendix A.2 mentions TLS session resumption
without server-side state. How about servers using TLS 1.3 and PSK resumption?
RFC 8446 has text on client tracking in appendix C.4:
https://tools.ietf.org/html/rfc8446#appendix-C.4.

A slight hangover from the fact the DNS-over-TLS spec was published in 2015 before TLS 1.3 was standardised (so it just says TLS 1.2 or later) and so most of the early DoT services used just TLS 1.2. 

Section 5.1.3.1 had the text ‘RFC8446’ but it wasn’t actually a reference so I’ve fixed that - thanks.

I’ve added a bullet point to Appendix A.2
“RFC8446 Appendix C.4 describes Client Tracking Prevention in TLS 1.3"


There is something wrong about the last sentence of Appendix A.2 'Note that
depending on the specifics of the implementation [RFC8484] may also provide
increased tracking'. You already mention RFC 8484 in Appendix A.1 as a means to
increase privacy. Perhaps you wanted to cite a different RFC here?

The point is that the use of HTTP headers in DoH can add additional privacy concerns over the other DNS transports, but that RFC8484 leaves that as an implementation decision. I suggest replacing the text with 

“Note that Section 8 of RFC8484 outlines the privacy considerations of DoH. Depending on the specifics of a DoH implementation there may be increased identification and tracking compared to other DNS transports."


Minor issues:

Nits/editorial comments:

There is mixed usage of Anonymisation (in Table 1) vs Anonymization. The same
with Pseudoanonymisation (in Table 1) vs pseudonymization in text. Please check
with the RFC editor on what is expected and use that consistently. Also noticed
optimisation.

Thanks - have fixed. I have now used the American English forms (z not s) throughout. 


In Table 1, Crytpographic should be Cryptographic.

Ack.


Maybe you could use an Oxford comma when using lists of items.

Had it some places, but not all - should be fixed now.


In section 5.1.2.1, there is stray space character at the end of the bullet on
"Follow the guidance in Section 6.5 of [RFC7525] with regards to certificate
revocation ..”

Perhaps expand DNSSEC on first usage: Domain Name System Security Extensions
(DNSSEC).

In section 5.1.6 'in terms of such options as filtering' should instead be 'in
terms of options such as filtering'.

In section 5.1.8 'a DNS aware proxy such as [dnsdist] which offer custom
(similar to that proposed in'. Consider using 'offers' instead of 'offer' and
'similar to those proposed in' instead of 'similar to that proposed in'.

In section 5.2.2 'presents and overview' should be 'presents an overview'.
Consider rephrasing 'the better to resist brute force'. Also, in 'agreed
solution or any Standards to inform', why is standards capitalized?

In section 5.2.4 'queries on multiple TCP session' should be 'queries on
multiple TCP sessions'. Please expand CPE on first usage.

In section 6.3 'This is by analogy with e.g. several TLS or website' could
instead be 'This is analogous to several TLS or website'.

In Appendix A.1 'documents apply to recursive to authoritative DNS' shouldn't
there be an 'and’?

All fixed - thanks. 


In Appendix C.1, consider changing the format for the sub bullets of '2.  Data
collection and sharing.'. Instead of numbering them with 1/2/3, perhaps use
a/b/c.

I’m currently using markdown which won’t let me do that…. :-( I do think that would be better so I suggest adding a note that this is done at RFC editor time….?


In Appendix C.1 'of use of system' could be 'of system use'. Also why is there
a line break between 'items that are' and 'included'? There is an extraneous
'the' in 'available with the our threat intelligence'. Consider re-wording
parts of paragraph '3. Sharing of data. '. At one place you say 'with our
threat intelligence partners' and a few words later you say 'with its threat
intelligence partners’.

Fixed.


In Appendix C.1 'In the event of events or observed behaviors' is a bit hard to
parse. Consider rephrasing the 'event of events' part.

Replaced events with actions.

Best regards

Sara. 



-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux