Roman Danyliw has entered the following ballot position for draft-ietf-dnsop-dns-tcp-requirements-13: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-tcp-requirements/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- This document has a dedicated section for DNS over TLS, makes a number of configuration recommendations for DoT, and notes it in the Privacy Considerations. However, there is no mention of DNS over HTTPS (DoH). It seems like DoH should get similar treatment. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Alan DeKok for the SECDIR review. ** Section 2.2. Yet, defying some expectations, DNS over TCP remained little-used in real traffic across the Internet around this time. This section doesn’t define a time period to associate with “… around this time”. ** Section 2.2. Around the time DNSSEC was first defined, another new feature helped solidify UDP transport dominance for message transactions. Is that “new feature” EDNS(0) per Section 2.3? ** Section 2.5 Today, the majority of the DNS community expects, or at least has a desire, to see DNS over TCP transactions occur without interference. Is there a citation for this assertion? ** Section 2.5. Per the use of [CHES94] and [DJBDNS] to motivate the position that DNS over TCP is not needed, are there more modern references? The former is from 1994, and the latter appears to be last updated in 2002. ** Section 3. Lastly, Section 1 of [RFC1536] is updated to eliminate the misconception that TCP is only useful for zone transfers. With what text is Section 1 of [RFC1536] updated? ** Section 4.1. Consider adding a reference of SYN cookies. ** Section 5.1. Does the term “DNS Wedgie” have to be used here given its use in American English as the name for a bullying practice? Judging from a google search (https://www.google.com/search?q="dns+wedgie";), this document appears to be inventing the term in the context of DNS. ** Section 6. Per “Furthermore, as with real TCP, …”, what is “real TCP”? ** Section 9. Because TCP is somewhat more complex than UDP, some characteristics of a TCP conversation may enable fingerprinting and tracking that is not possible with UDP. Recommend being clearer on who is being fingerprinted – s/fingerprinting/DNS client fingerprinting/ ** Section 9. The text “DNS over TLS or DTLS is the recommended way to achieve DNS privacy” seems rather soft on recommending encrypted DNS of any flavor. Was there any WG conversation to same something stronger? ** Section 9. The text mentions that TCP is more susceptible to fingerprinting. It would be also be worth mentioned that using DoH reduces susceptibility to traffic analysis. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
