Internet Engineering Task Force 104, 29 Mar 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF104-DPRIVE-20190329-1050

Description

DPRIVE meeting session at IETF104
2019/03/29 1050

https://datatracker.ietf.org/meeting/104/proceedings/

A

B

All we're gonna get started in a few minutes if you want to go head and get your seats.

B

If, if you're not here for deprive get the hell out, Steven sit down.

B

Good morning, everybody welcome to the the deep rod working group I'm Brian. This is Tim, we're your illustrious host for the day, so quick run-through of who we are and what we're doing, I'm a troublemaker. I, don't know I'm.

C

The voice of reason.

B

So so, first of all, we did have a slight leadership change over this this week. So first things first I'd like to welcome Eric to the to the zoo, stand up and take about anything that Tim and I do that you don't like talk to him and, second of all, mister mandersohn. Please stand up. Yes,.

D

B

Want to thank Terry for his illustrious leadership over the last four years. We understand that we are his favorite working group so, but we also appreciate all the help that he's given us. So thanks Terry. Thank you.

B

Quick other administrative notes, Dan York, is our illustrious Jabba chopped scribe, so he'll be jumping in front of line for anybody who has questions there and mr. Hoffman there was Paul. Paul was graciously agreed to take minutes for today. So I think we are covered from that and please.

C

Remember to speak your name at the mic, so Paul can find you yet if.

B

Not one will beat you for them yet note. Well, if you've been here for more than 30 seconds, you've seen this make sure that you follow it.

B

Blue sheets have started around I, believe Suzanne started the passage, so please sign those so that we know what size room we need and we're not either cramped on top of each other or yelling at each other from five miles away. The next time we meet agenda first thing: we're gonna run through the agenda, make sure we got the blue sheets going. mmm The first order of business is going to be discussions of our stage two work.

B

We have a nice long 30-minute discussions about the material that's been been collected since the interim meeting, so that that's gonna be the first order of business. Second, one is going to be some new working group business that we want to go over.

B

As far as that goes, we have some some updates from from the 76 26 biz work, as well as the BCP op and then new things coming down the pike. We have some some discussions on a BCP for doe clients using dot for insecure delegations and how to bootstrap the DNS servers. Does anybody have any changes or modifications to the agenda that they would like to propose.

B

All right and we will move on to the discussion of the requirements for phase two Alice.

E

Hi morning everybody so been on myself and William got together and worked on something that should cover the one of the milestones, the so-called unpublished document. So but the purpose of this talk is to give you like a little bit of a background. We have a couple of questions that we have collected and after that we really want to go into a discussion of how to proceed with this document.

E

So, just to give you a background of that, the TRF charter actually contains a work item that says: develop requirements for rating confidentiality, the DNS service, and that is supposed to be in our published document yeah. So we have, we have taken the decision to put it into the put it actually on a key top page. So during ITF, as you remember, the deep RF working group sessions of Katherine, so there wasn't any chance to discuss that.

E

We created the wiki document first, that that was move to to get up repository, and so the was that there was a review of that first version of that collection of texts, the deprived interim and a couple of updates came in since that interim meeting, so brief overview um can I can ask how many people have actually read that one of you, okay, so I'll gonna.

F

E

You a quick, run okra about what what the document is about. We are we actually listing existing and previous work. That includes previous work from a private group as well as work from other groups. We came up with the idea that the the requirement the requirements actually come from three different perspectives. So one is the user requirement, the user perspective, that user might have a different requirement and the other perspectives where the other requirements are. The operators, be both recursive resolvers as a client and authoritative nameservers to servers and yet another perspective on requirements.

E

Is the software vendor implementer?

E

Furthermore, down the document we have a functional breakdown of, I would say that ypres if a phase, two area into those functional components, so there's text about the privacy protection mechanism, something that's that's, of course, more trickier. Here then, with phase one is the authentication with concerns or text about performance and efficiency, and some things that came up during the discussion. One is the detection of availability. So how does a server actually find out that an alternative server provides deprived needle protocol? So I would say, and something interesting: the end user policy propagation.

E

So how does the stop resolver user actually find out whether the upstream connection between the recursive resolver and the authoritative servers were encrypted or not yeah? This is important. We're gonna come back to that afterwards, so the current status is it's it's more like an description of options. It's not really a hard requirements document. So so we essentially put all the text in that we could think of, and it doesn't say like a server mouse to try and me a client ought to, and so the idea over a tree.

E

The overarching question is: how shall we proceed with this document? We yesterday we talked about this a little bit and we found out. There are three essential questions that I'm gonna talk about in a minute, but first, of course please review that one yeah please comment on it. You can actually like submit the pool request if you want to text edit or changed so going further to those three questions.

E

So the question number one to the group is, as I said before, the document is currently rather a description of options and what functional areas do we need to consider to work on rather than a hard list of requirements, yeah, so question number one is: shall we modify the document to twist hard requirements so must ensure? If, yes, what are these requirements? Obviously, so that's the first thing I would propose to discuss.

E

The second question that we came up with. Are we actually set with dota2 transport protocol? The document lists the transport protocol. Choice is one of the dimensions of the design. Space, yeah and duty is baked, as we all know, or a couple of other options yeah, as we all know as well. So the question to the group is: do we want to be settled on DNS or TLS as the transport protocol of choice between recursive, resolvers and authoritative servers?

E

If, yes, do, we need any changes to do tea as it stands, a new profile for authentication. Of course, if d-o-t is not the protocol of choice, then what else do we use? Question number two and question number three: is the whole area of end-user signaling? So the idea about that is currently the the properties of the upstream connections between recursive, resolvers and authoritative. Servers are opaque to the user, so the user doesn't actually know whether his upstream connections were encrypted or not.

E

In many other places, such a similar, proxying I would three takes place. For example, if you submit your message where SMTP to someone that server might or might not use encryption when they transmit it to the destination server, so it's very similar problem to other problems due to similar problems and all protocols. So question number series: do we do we actually want or need signaling to the stub resolver?

E

Whether all upstream communication was previously enabled it's not an easy problem, I think, because if you think about how many upstream servers might be contacted for a single recursion, let me put it that way. That's all the question of aggregation in that, and, and also the more complicated questions of how do we actually present it to the user. How do we get through the API to the actual human? That's the third question, so I think that's that's! That's it from my side with regards for the introduction to that document or the problem.

E

Space and I think we should spend a bit of time to discuss. This I have listed the three questions here in the final slide and also are there any other questions that we haven't touched on.

B

Yeah thanks Alex, so what we want to do is we want to focus on on one question at a time would be. We have 25 minutes of time to do this, so what I would suggest is we're. Gonna go back to the question one and people who have comments or follow-ups on question one let's get those through and then we'll move on to question 2, question 3 and then then we'll solicit any anything, any questions that people think we might be missing. So, let's, let's start with the the question on hard requirements: yeah I'm, gonna,.

E

Make lessons so the question is the document curls at least any heart requirements, although the milestone in our Charter says requirements document so.

E

Where do we get those Daniel thanks, Heather.

G

This is Daniel con Gilmore a CLU. So it's not clear to me whether this question is, should we put in should or mosques or what should those sherds and must be right and I suspect that there are people around this room with different opinions on what they should be if we decide to make those changes so, but I'm also a little bit unclear on whether if this is the unpublished document, let me say: hey should I mean it's published.

G

The the the scope of the of the question here is a little bit odd, so I certainly have opinions about what I would like to see in in the document and there's some of the things that will be musts or shoulds, but not all of them will be right. So.

B

And, and and that's what we would like to hear is is is what you would like to see in the document in relation to requirements and and and to what degree are those hard requirements or nice to have types of things so.

G

Sue, so are you asking specifically, what do I think should be a must. Are you asking do I think there should be a must both.

B

Boy voice, your opinion on what you think should be in there and to what degree you want them in there and.

H

To be clear, it's gonna be a negative document, so it has no status, but we also have to discuss that name. But please.

G

Go this is like a very strange kind of meta discussion here, so I'm struggling with it, a little bit I mean I. Would I would say that you know, for instance,.

G

An authoritative server that offers private queries must must be valid, like must have its identity validated, and we would list a specific way that the validation would work right. I would want there to be an authenticated way to do that right. So that's like the authentication should be a must. What specific type of an indication I don't know, because we would need to sort that out, but, like that's an example like I want there to be a way to have a stricter opt-in. I.

E

Think part of the puppeteers, but I think the reason why we actually decided that would be non published document is we didn't want to hold up actual protocol development from requirements document that lingers around two years.

E

That is, of course, right that, if we put a must into an hour, published document is actually.

I

Steven and then mr. joe sympho, so I don't think I don't care if you use 2119 language or not, you could you could do other things like just move bits of text down the end and say this used to be. This is something we kind of discard it. So we don't have to say you know those things and then I need to go.

I

Reread the documents to see which specific ones I'd have strong opinions on which I'll do in a minute, but I think generally I'm I, understand de cádiz point but I think some more towards encouraging things that are easily deployable at this stage. I think would be a better overall thrust in terms of the requirements that, rather than trying to be aimed towards more strict with education, for example, so in general I think that that's the direction I would think it might be better. I think.

E

I think that's also.

I

E

Want to be a little bit careful here and not like describe the unicorn that we can actually they're not implement yeah yeah.

J

Joe every PIR I think the important thing is that the requirements actually be useful as requirements. I, don't think you've write in this document just because the milestones say you have to you, I think you're right there for reason. So I think it's it's great idea actually to not focus on just whittling, this down to death and and taking two years to come up with something that can go through the process before you start any other work, because that's absurd.

J

But although it is a bit of a shame, if it's not ultimately somewhere because I think it would be nice to record the decisions, but I think this question of, should they be hard requirements, I think they should just be useful requirements and the language you use is not that important so with if they're not useful and.

B

J

B

The documents waste of time so so Joe just to kind of address the publication question I think these will end up in a document somewhere that gets published whether it's a standalone document or like an appendix to whatever comes out is probably what will end up happening. You have no be good.

K

Hi Carl Anderson, Verisign, I, guess the question is a little puzzling to me because what you should and must mean in an unpublished document, could you speak a little closer sorry I, what's confusing to me is what do must and should mean and published document.

E

Yeah the loophole letter trustees color, you know we didn't think of it.

L

Yesterday, okay, mr. Shawn Turner I think it all kind of agree with Stephen and it's a style thing you can decide to put Muhsin Shinzon or not. That's all how you want to write the document. You can write RFC's or you can write. Internet dress that become RFC's. They don't go 2119 language that are still standards track, I mean mail.

M

L

Basically rain, so, okay.

N

Watson lad, I think that this is really a question about. We should be prioritizing some of the requirements. There's some requirements in there there are must-haves for certain communities. There are some in there there and nice-to-haves. There are some in there that it would be good if it happened, but we don't really care I, think distinguishing some form of distinguishing is definitely needed. Priorities.

C

And Stephens coming about something you deploy now kind of fits into that must-have now you'd be nice to have down the road kind of thing. Yeah.

O

Akamai, so I was a bit confused earlier that, because we have later in the session, I think document that addressing the solution, space on that and having a requirements haven't already. I understanding now one of the things that I want to say for me would be while mustard. Whatever is we've done sort of lots of efforts in having dns secured so having the data in dns secure, and we should I think utilized that to eight that protocol that we come there yeah.

E

I have to agree with you that, essentially in a beautiful, perfect world, the requirements should be done before they're, actually any solutions so that we can evaluate the solutions against the requirements. That's not the case here, that's where I'm careful about who we actually need to go that far or do. We also have two requirements in our head anyways, and if that is the case, can we simply write them down in five minutes?.

E

Okay, so shall we move on to the second question yeah sure. So second question is like a pretty simple one. Actually are we set with thought or do T.

P

Paul Hoffman.

D

Q

Sorry, Dickinson I'm, not sure, I understand this. You saying you would hard limit the set of protocols that you would consider processing a requirement. It's a requirement. We will use no other protocol except dot.

E

Yeah well, I mean it's the decision. Do we say we all said we're happy with what we have or do we wanna go out and explore for a year, I'm biased a little bit as you can hear, but so.

Q

Yeah I'm confused what the requirement would be. Are you looking for the opposite requirement? We would actively look at the protocols. Is that yes,.

H

There might be a better formulation, yeah indeed, I, would.

Q

Say yes, but it's not one of the immediate I. Don't think you want to be discounting any protocol here, because you know what's gonna come out the woodwork right, yeah.

H

I think yeah I think your formulation is much better than ours.

K

H

Please please, in that.

R

Sense, huh hello, made of like power, deenis I like that I like that a lot, but what more important to me is that we don't do a lot of probing. Nothing, opportunistic protocol, wise because I don't want my resolve for spending seconds figuring out protocol to speak to somebody, so whatever we do make it discoverable without pain. Thank you and.

E

I also understand you say: make it just a potential choice between a small set of protocols, I think about well.

R

Yeah as an implementer, yes yeah,.

S

Man uber tell that is being tried at the moment and I think it's the wrong in fruit that we can go with. At least you know, the future may tell that we can start using something else, but instead of making it over complicated and have big dreams, let's get going with something that is available.

T

Airline I think we'll end up needing some kind of mandatory to implement minimum dot seems perfectly fine for me, but I don't see that it necessarily precludes other things as long as they meet general privacy and security security requirements.

T

Yeah, okay and Eric.

U

Not even plus-one to those but I think, and especially agreeing with the making sure that if we want to go to something like DNS over quick, it doesn't become something that requires lots of probing and such and there's a clear way to negotiate to it.

V

Who need from Google Public DNS and as a starting point DNS over TLS seems like the right thing, because the protocols has been demonstrated to work. Ok,.

N

Cool Oh Watson. You really don't want to design your own encrypted transfer protocol. At this point, please just use TLS and and if that stops working, then we can start thinking about ways to fix it. Yep.

E

You only know that.

F

E

Once that's why it's ok, so I think that's pretty clear. We want to go ahead with DoD, but we don't want to preclude any potential future protocol yeah. If that's what the understanding is and if we go there. We actually want to consider the implement this perspective that probing through 23 different protocols, might be unfeasible to implement Peter.

R

No probing at all, please: okay,.

Q

R

23 not 1, yes, find out some other ways like signaling from the parent or okay, if possible, yeah we're.

E

Gonna note that, as implement.

W

A perspective, but those projects that make I totally agree with Peter, no probing at all, just some sensible, signaling, please, okay, okay,.

E

Third question and use a signaling: that's not a fluffy topic yeah! Do we want to think about ways or protocols to convey the privacy status of the upstream connections to the star is over Daniel.

G

Can't go more from ACLU, well, I think this is a really interesting question. I think it's second order and I don't want to distract from actually getting there linkages working so I would say: put this off! Okay,.

S

Then you bro tale oh yeah, I agree, I mean this is a renoise to have a guess, but this is going to be super. Complicated, I know yeah. So.

I

This is the route I agree with the two previous speakers. I think it would be a useful thing for people to come, think about and consider, but keep way off to any critical path. So I wouldn't like to say you can't talk about it, but I'm already happy that we don't try and hear it there. It.

E

Shouldn't be on the critical path.

T

Erik wine I also sort of questioned its its usefulness, because if we have this then do we have to have a signal that says whether or not Q name minimization was used during the process as well. You know and- and you know, insert other dollar sign new yeah privacy feature it cooked like grow pretty quickly.

E

Into a generic signal to the client, whatever we like to do, yeah.

X

Hi Pete Alexis poverty is plus one to consider it, but don't make it a big topic for therefore, the first draft, okay and I do have a question about the engine for signaling. What would the end user do with this information? In the end, I mean the question has already been asked anywhere I've to the internet. So what? What? What does the use case here? um I.

E

I think it would depend on the client, but my my like my personal imagination would be. It would be mixed into something like a cream padlock somewhere in some place in some app I. Don't know.

D

Christian Rita MA. Well, please keep it simple, remain this and use of signaling. The end user has no way to verify that the server is not bullshitting it yeah, so May is basically useless. It's.

E

Like the security Pete.

J

Joe ably PIR and that's all sensible, but the one thing that is interesting that is not there is, should the be able off tunes you for a client to indicate that they want privacy and.

Y

J

Discard the query: if you can't offer it again, not guaranteed, but it's a signal you.

E

Know that yeah interesting point yeah we can so Jojo.

B

Before you run away.

O

To Joe's, mind I mean most of the clutter of the queries that the client gets coming out of a cache. So if the I mean what would be the point in requiring security, it's absurdly hard within a resin tree cursor to find out what the state was when you entered, and then what is the state when you exited, because there are tons of recursions going on all the time and some of them are secure. Some are not, and I mean this is a bit to the.

O

The signaling itself is very hard, but finding out is nearly impossible. Yeah I just.

J

Clarify I wasn't suggesting it was easy or sensible.

Z

At the code madtown said I so I maybe I'm not understanding something here, but I would have thought that end-user signaling would be a thing that was useful between the stub in the application rather than between reaker, sir in the stub, because wouldn't wouldn't this be the stub saying yes, I got my answer over TLS. Why would the application not trust that I say.

E

The closer levels actually those legs of what you just mentioned, most from the resolver to the stop for repairs to the sorry. So fine from the stop yourself as a user, makes it even more complicated, was.

AA

Here to careí, say, and so in the HTTP world, where we do have signaling Greenlaw all that kind of stuff. The point is that the user knows that they, you know, can safely hit submit next time, although they don't actually check the link. So it's a whole nother thing. The reality is in something like this. It's more like saying: you just released your privacy right, it's too late. The signal occurs after you've already disclosed what you've done so I'm, not sure that there's a whole lot to be done there.

AA

It is true, the green not to yes, which.

E

Goes in line with what shows that that you would probably or others think about something where the user like to requests previous, enabled up streams, Daniel.

G

Can do more so signaling to the user in whether it's the user signaling to the service of what they want or signaling back to user? What the result was is a super complicated problem. It's a complicated problem when the user is only talking to one party. In this case we have a user talking to one party. That's then talking to another party. Actually they might be talking to how thousand parties it may have talked to those parties in the past.

G

So I just want to point out that, like with the signaling that we're talking about here is extremely complicated and something that we have failed to do successfully in other contexts here at the IETF, whether it's much simpler, so I really think we shouldn't hold on.

AB

Daniel arc employed by the Internet Society, but I'm speaking for them. The I agree with what decayed you just said, I think we should just personally I think we should really look at how I don't know that the end users are really going to care. We've seen this right now right and look we're removing some of the signaling for some of the other places that are out there.

AB

You know in two different ways: I think we really have to study whether anybody's actually gonna do anything with this or if it just becomes more overlord overload for what's normal and.

AB

On that note, I think we should involve the people who would actually implement said signaling, so that ain't no asking the browser vendors. If we gave you this signal, would you do anything with it, for instance, because if nobody's going to actually use it right, I think you're gonna say that right? If he's gonna use it then don't bother. Let's move on to the next item.

W

Nick I suggest to move to more technical topics, because we can waste any amount of time on discussion about signaling without actually having the protocol. You know we are not going to signal anything useful anyway, so we as DNS resolver implementers badly need a mechanism to signal that the offer the website- or you know the other side- understands some secure transfer protocol. So I would suggest the focus on this. Otherwise we will not get anything before it anyway. Okay, yeah.

AC

Yeah I'm not from this Elliot layer, I'm not far off from what he just said, but I did want to add that I think there's an overarching question here that the IAB should look at I've mentioned this to Steven, which is what sort of end-user signaling is actually useful in a more systemic way, and that could feed back to you. But I think it would be premature to go there now and it's a research topic actually yeah cool yeah.

AD

It was cool, yeah, I, don't know what can imagine what a client would do with the signal instead, had it I mean I mean they're like I want, like the you know, if the visit version that would be useful, are you already do get? Sometimes you know is like there's the domestic valid.

Q

Or something but.

AD

Like that's, not we're getting here so um I can't imagine anything you could do contingent. Oh well, I was just is that we built Justin to put this down, and if someone comes up with some useful reason, why you might say you do is a signal that you visit the question. The signal yeah.

AE

Brian Dixon I think this dovetails with policy discovery and or other kinds of discovery in the the signaling I think needs to be to the application not to the user, to some degree, at least in terms of supporting certain environments such as the enterprise I, think, that's an area, that's complicated, but I think there's a lot of potential to find solutions and I'm definitely committed to participating in that contributing ideas. Thank you.

Q

Sahra Dickinson one other thing to consider is I. Think that what seems to be the more useful signal is one the client can send to the cursor to say: please don't do this query if you can't guarantee you're going to do it over a private channel. Obviously you can't enforce that there were cursor honors that, but we have something similar with a DNS client subnet, but the client couldn't at least say please step forward by IP. So I don't think that's a simpler problem but I think that's more useful to the client yeah.

E

Understood cool thanks, I think that was really good because we tweaked up quite quite good on social model questions jump.

B

The other side, where we want to find out if there are other questions that people want.

H

B

So for the last couple of minutes, do you people have important questions that they think we need to consider when we're when we're doing this work that Alex and Ben know have not articulated yet. We've got three key ones, but everybody always seems to have their own little interesting questions and here's your chance to bring them up now. My.

E

Takeaway before was that the implementers really want something that prevents them to yeah, so the ones signaling that in some way that they can start away with right away, was a encrypted session.

I

By a student well and so I'm not sure if it fits here, maybe it's somewhere else in the agenda or you want to do it later, which is Oliver she's fine. But at what point do we want to try and figure if our goal is to be strict or opportunistic.

AF

I

E

A question for the.

I

Chairs I guess yeah.

E

Yeah, it makes it easier for me.

B

There there are pieces of work that people want to do and have proposed that we need to figure out how they fit in with this. What we think is going to be the right solution, so I believe that some of the stuff that some of the answers to your question will come up in later discussions. Okay,.

I

So the answers later yeah cut.

C

Okay, thanks everybody, oh and we were gonna say if you have text or comments use, the github send pull requests, we're more than welcome to process them and if.

B

You're allergic to github, you can send comments via email, yeah.

P

B

P

For you, can we stop on that one? For a moment, okay, I'm gonna wear my hat as the get working group chair, YUM.

Q

P

Two just said things that will cause comments to appear in two places and people not to see some I will now taking off my hat. Can we just have comments on the mailing list? I, don't think we need to track into places.

AG

H

This fine, it's it's up to the working group, so we've started with the vicki. Then it was proposed, move it to the github, because it was more easy to track changes into contribute to a document. But I merely it's: what's best fit with the working group. So how does the working group on to interact with this document? Yeah.

AD

Yeah I mean I've done this repeatedly. Okay, this is extremely convenient. I'm, not sure why Paul, but yeah like seems a bit way to report issues of the documents party, yeah.

H

So the move to the kids help us also after the interim meeting and from the requests from the participants from the midterm of the mid WebEx meeting. I can imagine that we kind of update also on the mailing list that there's has been edits on the github repository for and their attention point their attention to the documents.

E

We can also happily gladly create an internet Rafi. We thought at that point of the development of that document. It would be easier to have something: that's more dynamic and an intern off that goes on to revision, 76 77 78, but we are open to that. So.

I

It's Tim well I, think I got a repo. What I mean I think there's been one P or and and zero issues on this I just had a quick look and there's been a bunch of discussion on the list, so editorial changes work away in github. That's just fine text to get up keep any non editorial discussion on the list. I'll get the Americans.

O

Yeah I feel I wanted to attract with that I mean the discussion and all the changes that go in there have to happen on the mailings, because that's what we are using, let's get out.

AB

Dan York inside a bit speakers myself is this going to become a draft at some point because we're so.

B

What we mentioned earlier, Dan is, is that at some point, probably on a minimum either the requirements are gonna, be published as a standalone document or published as an appendix to whatever solution document we put forth. So this document is really just to collect all the key things that we want to focus on, and then we can decide which ones need to be included in in a in a publish the RFC, okay, I.

AB

Just from the way that we've worked just kind of wrapping, my brain around a different way of working, because we've always worked in this group with drafts and now we're working with the document. It's not really a draft and we're working through that to go and formulate that so I'm just yeah.

H

I understand so yeah, it's something first, it was an ID we we got after the Bangkok long meeting, but we had some discussions with the chairs and the tutor, and then these collect some IDs from the mailing list. So this document is also kind of an inventory of the discussions on the mailing list and at least place everything together search rates with some questions.

H

That chairs also ask what does the users perspective, but is the operating perspective and to start the discussion and I'm fine to move it in any place on any form was a working group, but this is kind of kick starting. This discussion here we have here now have kind of some structure to think about and organize our work for the next. So.

AB

I guess my only comment. We were somebody who is not far this group or who wants to know what we're doing in this group. This is now a stealth document, because it's not in data tracker, it's not in anywhere that anybody would know unless they happen to follow this so I, just think from a transparency point or something to know what this group is doing.

AB

It might be good to submit something as a draft and now yeah it just in in so it's at least on record, and it could just say at the top of it that you know this document is being iterated over at github. You know go there and be part of that. I.

H

Think that that's my personal conclusion but pull and an echo said something and.

Y

Finally, to check chases on get up, but I.

AB

Think I think it was a great way to do this, so somebody with the issue tracker and the piece of there but I think there ought to be some linkage from this groups pages or something over to where the discussion is actually going. It's.

B

So so let me see if I can simplify this a little bit. We were. We don't want this document to be a gating factor for some of the other documents. So that's why we made it a just a scratch working group document as a beginning point: if people want to see it as an internet draft, we can do that. It's not that hard.

B

The other thing I can do is we can sit down with with the secretary and just have it add a link to the to the Charter page so that everybody knows that this is this is where to find the working document I'm happy doing it either way. Please.

AD

Make it in in a draft they're working documents, it's fine, the cheap, extremely cheap and then like, then, people like know how to find things for the working group. They know how to like. You know when they come in, they download the agenda. They can just download the working group on I. Don't that conflicts in any way with using github for like to develop iterations of the draft for like please do plus one okay.

C

E

I notice so I get that us. We shall convert that into an internal training.

AH

Q

So there's two I'm going to talk about today: I'm gonna start with the 76 26 biz, which is a rev of the privacy considerations document.

Q

So the original document was actually published back in 2015 and it was the first document to come out of deprived and in the abstract. It said that it documented the privacy issues associated with the use of the DNS by Internet users. So there's a couple of things with hindsight to note about this: one is that it is very specifically limited to privacy. It does not talk about security or trust models or how users choose which was over to use it was based on.

Q

It was simply a snapshot that was based on the way DNS was deployed and used at the time. So three three and a half years ago, and as we all know, that has changed quite a bit we're doing the piece, because since then we have had multiple standards based in deprived and Indo, so we no longer in the world where all DNS goes over clear text, so things have changed alongside that. We have the second draft that I'll talk about today, which is the best current practices for operators who offer privacy services.

Q

When we were developing that draft, we ended up basing it on a model where we describe the threats to users, and then we describe mitigations operators can provide and we wanted to use the 76262 basis of the threat description, in other words, a problem statement.

Q

So it felt like the right thing to do was to update 76, 26 and add new threats from new protocols that were available and then reference that from the BCP, so that we had these two companion documents, one with threats in one's mitigation ism.

Q

So the status of the biz is that it was first published in July 2018.

Q

We did an update at beginning of this year, but only with very minor updates compared to the first version and a call for adoption started yesterday or the day before, say. Thank you to everybody. Who's already commented on the list. Please take a look and add your comments to that to a very brief survey of what is new in the bids compared to the original document. In the current versions appears, so we added work on dot and doe. That's in there and included those as transports that users can use.

Q

You wouldn't believe how many references have changed. In three years we added a section talking about threats due to PII inside the DNS payload. We talked about attacks on encrypted transports and the potential that encrypted transports actually increase user tracking via various mechanisms.

Q

We talked in the we added information and describing the threat to user data in the server, because again, there could be additional information. If it's come over a transport that has tracking elements, we talked about threats to being able to authenticate servers over encrypted transports and blocking of encrypted transports.

Q

So the question at this point is if it's a very positive feedback about adopting this document, and so, if that's the case, how does the working brick want to move forward? So what's missing, or what still needs work in there is. One question is: is the coverage of the encrypted transports sufficient bigger questions are? Should the scope of this document actually be expanded, given that new questions are being raised about threats to users based on their choice of is over, and the network context that they're in now?

Q

Whether or not this document is the right place for that I, don't know, I think that's a decision for the working group to make we're also seeing work on discovery mechanisms, so we should as those progress we should probably include how users assess and choose which discovery mechanisms to rely on I. Think that's something that does fit here at some point in the future and as a last question, there's a lot of talk about. Where should lots of different discussions go? Should there be a new working group?

Q

That's focused more on policy and deployment and deprive should remain looking much more at the protocol level, and if that were the case, would this move to that sort of working group? So that's a much longer term, much more open question.

Q

So that's everything for today on this draft I, don't know I'm happy to take questions on this now or I can go on and talk about the operations draft and take questions at the end, which seems like the more sensible thing to do. Okay, in that case, I will.

C

Q

Q

So the companion documents to the problem statement is the solution, which is the best practices for operators who are offering at least one privacy preserving protocol. When we wrote most arted on this document. Originally we had two goals. One was to describe the operational policy and security considerations for operators using the transports, and the second was to think of a way that operators could publish and communicate what policies they are at and practice they are using in practice to users to help with informed consent.

Q

So the document is actually split into two sections along these two lines.

Q

Where are we with this draft? The the last time we presented? This is back in Montreal because there wasn't a meeting in Bangkok it adopted by the working group very shortly after that and we've currently on the OT revision, which came out just in March this year. But I would say, there's been no major changes since it was adopted back in August, so I'm gonna just quickly run through the document structure, so that people get a flavor of what's in here. If you haven't read it for a while.

Q

So in part, one of the document where we talk about the considerations we frame those within three contexts- one is on the wire so between the stub in the recursive. The second one is in the server, so we're talking about data at rest and third, one is upstream. So that's messages on the wire to authoritative and sharing data with third parties, and so what we do in the document is for each of those contexts.

Q

We enumerate the set of threats that there are, and then we recommend, mitigations and in the current document the threats are taken both from the 76 26 beers and from the privacy considerations for protocol development document, 69, 73 and then there's a few others which, which are actually standalone, then for each of the mitigations. We've broken them down into three sets. So we say that there are we've labeled them as mitigations, which are things that you shouldn't be running a what you're calling your doing as privacy service.

Q

Unless you are doing this set of things, so that's the minimal you can do to be compliant. The second is optimizations, which are things that improve the position for your users, and then the additional options is like the full monty of this is everything you could possibly do to really so you bring up your service, so it doesn't correlate exactly to a traffic light, but that's one of the places we could go with it. Akka yeah.

AD

So, are you saying that you shouldn't be running a dot or doe server? Unless you do these things or maybe you shouldn't call it a privacy service? You.

Q

Shouldn't you shouldn't promote it as a privacy service unless you're doing the minimal set. Okay.

AD

Yeah sure we agree all right, we'd, better the world, be better. People have the same quarter. You I did approach their policy to have now for, like Rin yeah.

Q

Because, if you, if all you do, is take what you haven't just toggle to TLS on that, doesn't make you a privacy service, no.

AD

It does mr. wall a better place right.

Q

Okay, so to quickly spin over some of the things that fall into the categories, so in the on the wire section, we consider both protocol and service. So we talked about your protocol selection. We talked about ensuring your offer way for users to authenticate your service and the varying ways you can do that. We talked about certificate management because that's new to DNS, we talked about protocol things. You can do between the stub and recursive so pad. Should you pad things? Should you do session resumption?

Q

Should you do cookies or if your do any of those you shouldn't require the client to do it? They can opt out, and we also talked about ensuring your service is equally available on clear text transports and on encrypt your transport. So servers aren't at a disadvantage if they choose to use an encrypted transport at rest in the server. The focus here is really aren't primarily its data. Minimization. It's don't store anything. You don't need to anymore if you're a privacy service and then, if you do have to store stuff, how do you handle it?

Q

So we talked a little bit about trying to maximize monitoring to be transient so that you don't you know you could do stuff, potentially in memory and not even save it to disk.

Q

We talked about logging and if you are going to log, please anonymizer as much as you possibly can don't use the data that you have to track or correlate users across other services that they might use from the same endpoint being very whereas who has access to the data and we have a what's rather a placeholder for defenses against cache snooping in terms of the data sent upstream. So we talked about what recursos should be doing in terms of protocol, so you should be doing you know minimization.

Q

You should be very careful about how you do ECS. If you do it, you could run local route, etc. We briefly talk about how you might want to employ traffic obfuscation, particularly for privacy services, with a small subset of users and how you can then let your users hide in the noise of upstream traffic and we go on again to talk about data sharing and there is a fair amount of commonality with the at rest, but there are some things that are also specific to sharing data.

Q

The second part of the document is the policy and practice statement, and this is nothing more than a framework that we are proposing for a way for operators to publish the decisions that they have made about the service. It's not huge at the moment. What's in, there is about two and a half pages of text. It's just a list of you should say something about this. Something about this something about this. The.

Q

What we hope is the usefulness of this is that it will allow operators to publish their data and their policies in a similar way to provide consistency of representation for users who want to consume or analyze. This now there's several hours and days of my life. I will never get back from sitting and reading policy statements from just the big three quad services.

Q

Trust me I, my guess was I read about 5,000 lines of texts in over 20 different locations in order to track the chain of policies that tell me exactly what is going on, so it is non non-trivial for even a technical user to get a really clear picture at the comparison of these services. So we've heard a lot of times this week.

Q

Informed user choice and consent is really important here, so that one of the goals of this is to enable that, by collating information in a common form from users- and we also think that this is the best way to provide the basis for external audits, which are another key element in terms of I'm an operator I say: I do X. How do you know I really do so. This would be the basis of an evaluation or monitoring. If you could give you ideally if you can actually do it by monitoring rather than requiring an audit.

Q

So as an exercise to this end, we try to use the proposed framework and we try to look at for the privacy policies of four providers when we originally did it. Google didn't do dots, they do now and Open DNS doesn't do dot, but obviously cloud four and quad nine D, but it was just a let's mix and match and see how useful this is.

Q

We used to have some results in the document, but because we of the table structure in a document we just found, we couldn't display it properly here, so we've actually moved the results onto DNS privacy. There's a link in the document to this work, and at this point it's research, that's informing how we do the framework and will not necessarily be in the document when it's published, but to give you an idea of how you transform five thousand pages of text into an analysis of the policies. We have two tables on the website.

Q

The first one is the policy comparison and apologies that this probably does still really look small so that the sides and have a look or go to the website and but what we want users be able to do is look at information like this. Here we compare quad nine actually offered two services with different characteristics on different IP addresses, we've got cloud flows, dot and oh and we've got Google and opened in us.

Q

So, for example, you can just go alright, who are the partners of the person I'm, sending my DNS data to and can I even find out what they are? Are they stated anywhere or what does this operator do in terms of filtering where's? The statement for that so I can just pick and choose very easily based on my requirements.

Q

Similarly, there's a practice comparison so again, the same services and it's quite interesting to skim this and oops oops and see things like yeah at a glance who is doing dinner, sack not everybody, interestingly, who is doing query no minimization, and so and some of these things we can actually test for by monitoring and the ones that we can test for. Sorry.

Q

So again, going back to the idea that these tables are still complicated and you still need some technical know-how to read them, but once you've gone from text to tables, you could, in principle, translate this to a traffic light system which we could summarize you know each one of these falls into a category about their level of compliance, and it feels like that might be useful information to convey to users.

Q

So, as I said some of these things, we can monitor some. We can't again at dinners privacy to org. We have a monitoring test, suite set up in Jenkins, we're down the side. We list all the dot resolvers moment.

Q

It's limited to darts, all the doc resolvers that have been stood up, and so, whenever people just don't stand up dot service, they tend to get in touch with us and say: can you publish my details on your site because at the moment that's the best out-of-band way to publish things like IP addresses and credentials so down the side. We have various servers, including the ones run by the stubby developers, quad, nine Google and Cloud Player, and across the top we have a set of tests. A subset of these are things that are.

Q

We are recommending are part of the policy statement, but we test for some other things here too. So you can see if I highlight one way there. That's quad 9, Google and cloud flare and going across the way we look at. Do there for TLS. Do they offer it on port 4 for 3? Can I or CENTAC 8 the name they publish? Do they provide spki? Pin it's a certificate currently valid. Do they do cue name minimization?

Q

Do they do dinner SEC? Do they do keep live? Do they pass their answers to do TLS 1.3? Do they do ask forward responses so wherever we can we're trying to do that, and what we haven't found yet is any discontinuity between what these operators say they do and what the subsets things we can probe for. Okay,.

AD

Yeah, this is cool I'm. Just wondering um I saw the in the previous thing you had so okay, so so on. So these just be clear. These these, these, like red red exclamation points, are not they're lying, but this is bad they're not doing it. This is bad right or.

Q

Just not necessarily just that they're not doing it, they might say we're not doing a.

AD

Very good, so it's just a right, okay, so right by me, but the but the implicit, the the implicit thing is like. We think that that's not good, because, like the red exclamation point like it like, this is bad right. So I guess I was wondering how you're gonna handle on more neutral properties such as blocking right, yes, I mean like um because, like that's a different table, that is like more like think about figure out for yourself yep. So.

Q

What we were thinking of doing is evolving this and splitting out into the set of things that would map to what's in the compliance and trying to do that. But, as you say, some things we will have to be very careful with because they're subjective you know. So this is that, there's that other things we can monitor think they fall into two categories. There's the from protocol perspective. You should be doing that. Yes,.

AD

Q

There's a what is your service policy and, let's just reflect it, so people can make an informed choice without, as necessarily saying it's good or bad.

AD

I would actually suggest that there are perhaps a slight difference on me, which is um so there's there's the things you regular things you on like, like those are noticing more the things that we have disagreement on, whether they're good or bad. um So um you know so like this up on this list. Right I think we all basically agree the like.

AD

You should do with these things, so um it seems like basically uh you know, there's um the policy was the policy say there's what do they actually do and like and then did they disagree, right, yeah and so, like the UM you know, so, I guess and qualitatively like they, like. The policy doesn't reflect like the. If the policy doesn't reflect actual behavior like Superbad.

AD

Like you know, okay, if you see who tells we're throwing you don't that's like much worse and like, if you just don't, do it or how you just like actually like so um so, yeah I guess like I, think maybe that's the way we're think about. It is like the sort of three tables I think table which is here are some things which you might uh might I want, and this is 2002 Wilson right, likes I mean, like I, think great examples of blocking like like what 19 offers blocking.

AD

Is your non blocking service and I'm? You know, maybe you want blocking. Maybe you don't like that's a few to decide. We don't tell you which one you are yeah exactly.

Q

Thank you. That's a really good idea, we'll do that with this table. One thing to say is that this table is generated off a single vantage point, which is the Synod in office in Oxford. So it's you know. It's certainly possible that you might get different results if you're looking for different places. So one thing we were literally talking about in the break beforehand is what would be also really.

Q

Nice is a tool a bit like the N on the internet, dot NL connection test page but extended to probe from your device across to multiple resolvers on multiple transports and see what you get back and, for example, compare answers to see you know if you talk to, as we saw on the network.

Q

If you talk to quad a over UDP, do I get the same answers as if I talk to it over TLS, because I know nobody's messing with the TLS ones if I Center, Kate the far end so I think that would be a nice thing to also work through, so that you could validate some elements of what you think. What service you think you're getting on the local network, Steven sympho.

I

Just on the last point, decker mater I think there's there's more than one category of blocking. Some of you know, there's a category that you might kind of opt into and then there's another category that you might need me told about so I think that I'm not sure how you could possibly distinguish those things, but not conflating them would be good and.

Q

I think also thinking about it, even if it, if a operator says we block these kinds of things for you, detecting that they comply to the way they say they block is really tough, because that's a that's a hard space to probe.

I

Q

We'd have to think about how do you go about doing that, like.

I

I, don't think it Maps into a traffic light type thing right. No.

Q

I, don't think it does I think it's a data gathering exercise hi.

Z

Jeff Hodges, on with respect to the the client-side probing that you were talking about us, take a look at metalizer at Berkley yeah. There might be synergy there. Thank you.

Q

Okay, so to wind up and come to the open questions about this document. The most comments we got the last time we presented this was around the structure. The document should it's their single document.

Q

Should we split out the data handling because that's possibly an earlier problem than just describing what you should do in terms of protocols on the wire and should we actually split the policy framework out into a separate document, because that's a standalone thing and what we heard was support for doing both things on both questions, so none of that actually ended up coming to the list. So if you do have opinions, please bring it to the list, so we can make a decision there.

Q

Some of the other questions are about the scope of this document. Even since we started writing it, that's possibly changed. Should we have more detail in this document about if you're an operator and you're a DNS resolver and a CDN, here's some things you should and shouldn't do or if you're just handling, for example, doe traffic and other traffic at the same endpoint, here's some things you should and shouldn't do so. It's possible there's, there's ideas on that that should go in here and I guess in terms of moving the document forward.

Q

I think that the chairs might want to come on this as well, since the last update that we did in the middle of last year, there's been very little discussion on the list about certs I mean so the question is: are we done or do we just not think this is fit to be a doc document? It should stagnate for a while.

Q

It's currently designed to be a BCP should we think about parking it as an informational document instead, I, don't think, what's clear is what the working group actual wants to do with this going forward. So.

C

That was my thought we feel like. We have enough data to sort of make a BCP type document, I mean.

Q

It's we've always said it would be a living document. It's gonna, be very dynamic, so I mean there's a question about it becoming a draft in the first place. So if people have ideas, we'd.

C

Love to hear from folks on.

Q

What we should do that please take it to the list, any other questions or we I.

AI

Think this is a I mean needs to be settled with the open questions, but I think having a BCP on this is valuable to the community, which is why my name is there too I hope I'm, not like opening the can of worms. But clarity from us about BCPs are for clarity about us from us about the value of some operational decisions and I. Don't see a reason why this group can't can't be involved in one of those sorry.

AJ

Rich Sol's Akamai yeah I'd love to see some advice for CDNs.

AJ

Bcps are like a point in time, statement right and what's best changes over time. I think this is like a brilliant document. I can't imagine the effort that went into it and reading what was leaking for all that legalese. So thank you very much yeah. Let's move forward.

Q

J

Le PIR I also thinks good and it should be published, but I also I. Think one of the reasons for that is that it defines some terms that are useful to cite so when it defines, for example, levels of compliance or whatever you call them, in the degree to privacy degree of privacy afforded in three levels. That is an interesting thing to be able to cite and refer to you, because it can use that in protocol signaling, so I think.

Q

J

It's worth publishing, okay,.

Q

AB

Okay, New York internet society, but not speaking for them, the I would I to support doing something with this document. I think it's very good guidance I would, though, suggest I'm in the camp of splitting out the d ppppp PPS thing, because it's a different audience, because I know having worked with our lawyers, etc around writing privacy policies, and so on. You know, that's that's the people who will consume some of that. So if you can say to them, we want one of these go. Look at this document.

AB

Here's the guidance for how to write this. You know the lawyers or others engage with that probably will not want to weed through all the other 18 pages worth of operational guidance, to get to the point where they have the part they have to care about right and so I would suggest that and then you know there could be references between them or whatever. So.

Q

Maybe publish them as a pair of documents together.

AB

Yes yeah, so they could reference each other or something on that line. Yeah.

D

Christian Witham: oh that's a nice document, but some of the discussions like the discussion on how to use TLS and how to not leak information through TLS are also client-side recommendations and it'd be nice. If we had these clans. That recommendation, as in for example, client, should be very careful with using session with humans in the third and and basically and the several recommendation should be essentially don't break the clients that are taking care of themselves. I.

Q

Agree and for a while we've been talking about doing their client companion to this and I think now would be a good time to start that document I think there's quite a bit of overlap with Vittorio's drafts and, depending on you know, I'm interested in working groups view on that, because that's very prescriptive, almost in how to do certain things and I think if you're talking about a client and if you go down the road of doing client BCP, you probably want to include information to help. Clients choose their resolvers.

D

Q

Bit more subjective in.

D

The most efficient, the client I wonder: how much should we perspective and how much should be descriptive as in it is that.

Q

D

Worried about this, you should do that yeah, because.

Q

I mean we have a document that describes the protocol profile for a client, but not necessarily the more subtle considerations about what to do to a given resolver on a given Network, so I think I think there is a document laughs that could be written thanks.

E

Alex Mayo for anecdote, 80 um I have a different kind of question, and that is at which point would we actually decide to move such documents to DNS or so when thus encrypted DNS become normal standard?

E

Once we are done with the definition of the core protocol, because I don't see anything in DNS op that precludes us from sending encrypted document.

B

E

Up the same tree yeah so.

B

Now that you've broken my co-chair.

B

I think what I heard is a couple of things: I'll get to Alex's question in a second.

B

It seemed like there's interest in splitting out the the policy things which, which makes a lot of sense, and we can make a consensus call on the mailing list about that, and I also heard wanting to add some CDN content. Do you are you interested in soliciting people to actually help provide that or do you have a good grasp on what that might look like not.

Q

Yet no so if people have opinions or text, please send okay.

B

So those of you from a CDN world who would like to see that kind of content in here please get all the authors and then on the topic of moving any of this to DNS up so.

B

At a minimum, I think once we split this out and we have a BCP that we're happy with as the d-pryde working group. The easiest thing to do is actually just ask for review and dns top and make sure that that's a part of the review process, but keep the document ownership here so that the people who are most interested in deprive are the ones who are involved in the development of that document. Because.

Q

There is a comment in the document that says, even though, in terms of the data handling we, this is within the scope of privacy services. These should actually be considered to be done for any Dinis operator, so there is a overlap there and I guess, that's, maybe the point at which just DNS up want to decide. They want to start specifying some of these four as recommendations for all operators.

Q

B

And I think that that's a good point to point that out to DNS oppan and see if it's something they want to take up any other questions on on the biz or the DCP Watson. So.

N

I said a small email to the working movers, like some small. My bigger question is shouldn't this be for all DNS operators, yeah I.

Q

Mean there are some protocol elements in here that are specific to encrypted protocols. Everything in here that isn't limited to an encryption protocol. You could absolutely argue that's why.

N

I think we should go one step further. I think we should say that every thenis operator should be using encrypted protocols say.

Q

That was another question.

Q

With regards so, it came up slightly the other day in the context of the TCP requirements. Implementation Alliance should TLS or other protocols be a must implement, should implement for operators. So again, that's maybe something for Danis op. Thank you.

AD

Gonna say I was gonna say that probably seems like this. It's 69 19, but we know you won't.

B

So while our next speakers make no way up here, what I would like to do is is ask for any volunteers who would who would agree to do a review of this document in the next same month, so that sarah has a good set of input from okay.

B

AK

Thank you, hi I'm, Victoria, Grall, Tola and I'm, actually I'm still an ITF new hammer, so just to give you an idea of incoming phone so to explain why maybe the document is built in a certain way. I was involved for like 20 years in the rest of the internal governance, places like I can and so on, but still here, I'm a human, a new camera and I was told that to start the discussion, I had to write the draft, and so this is what I did and actually I I started from the same consideration.

AK

That was already done so that I saw this best practice document for the operator side of privacy services, but I mean going throughout the day and the DRH discussion. It appeared to me that there's a lot that needs to be discussed from the client side, and so I said why don't we try to start to start writing advice and best practices for the people that write the DRH in the OT clients?

AK

So I mean this is the approach that I have taken, so I tried basically to take the other document as a starting point and do something similar, but aimed at client applications. So this is in a way it's complementing, but it's pretty different from the other to do. H drafts that were presented in the new age group, which were written by operators trying to document their own concerns of their own problems. I mean the idea it was to try to have a violin of all the issues that have been reported by different parties.

AK

Of course, no one really agrees on all of them, so some argue that these are not issues but still, first of all, I wanted to write them down and then maybe trying to see whether there can be any share, if possible, advice on how to deal with some of them and deployed your age in a way that is acceptable to everyone and solves at least as far as possible.

AK

Some of these issues and since I think at this point of the discussion, more or less everyone agrees that the problems derive from the deployment policies from the protocol itself. I think this is why some best practices on how to deploy it is necessary. So this is absolutely not meant to stop the the deployment of encrypted protocols.

AK

Actually I think that in the long term, I mean I agree with what was being said that in the long term, everyone should just be running encrypted eNOS, and so the point is rather that I see some resistance to the deployment of mass transport exactly because of some of the issues.

AK

So I think that if we find a way to address them and make everyone more or less happy, or at least less less unhappy about these, it will be easier to get it deployed and also this is in the end there I mean the document was not meant to attend a single site or to promote a single side of the story. So, of course, this is just mine, I'm sure that there's a lot of stuff in it that doesn't have consensus made. Possibly it will never have so, of course, there's.

AK

There would be a lot of work to be done on this document to make it a consensus document, but I really tried to reflect them the issues and also the advantages of the DNS and critical protocols in a fair way. So, if I failed, of course happy to the comments, but this was what I try to do and, of course, I'm happy to incorporate other views and take all thor's and work on this, so I mean that the document is structured as an advice to people that have already decided to deploy a liquid client.

AK

So this is why there's not an official commendation these but- and the attempt is basically well first of all to introduce our a bit of terminology because I think we still like it. So there's still a discussion on how to call certain things and then tries to break down the issues and organize them in some way. It's not entirely doable.

AK

Since many of these issues are connected together, but then we try to write them up and give a write-up of the issue and in the end there are some recommendations which in some way, I mean since, as I said, come more from the policy side. I realized. These are maybe more on the policy side that, on the technical side, there are also some technical ones, but path of them could be to policy. So this is also part of the discussion, so I mean well. This is just a simple and I.

AK

Don't know how many people here actually read today. The draft is like a 19 pages, so it's not actually very short, so just to give you an idea how to structure this really a bit of terminology, mostly related to defining terms like local or remote resolver, and the different models of having members which will happen at the network level or at the application level, and and then this is the list of the issues that I found again.

AK

This is completely up for discussion, but I mean I've, seen another list of issues shown Wednesday all at the side meeting and I think it was incomplete. So if we take all the things that anyone has said about the problems that have been caused by the deployment of DHS I think this is at least a starting list missing, maybe there's more stuff than this, and and so in the end. Just to give you an example, this is one Lester.

AK

How have the left go so there's a description of the issue, an argument of the pros and cons in in the end, some suggesting this is paraphrase: it's not the actual text, yeah suggesting that application should do certain things or should not do certain things and so on. So this is more or less that the bulk of the of the draft.

Q

AK

I encourage you to read it. If you didn't so I mean the point basically is: does this make any sense? So is this useful I mean? Can this be a way to further the debate to discussion in a productive way, rather than just continuing to work? We do one against. The other is repeating the same things and again this is in the mandate for the IDF. Maybe part of it is as part of it is not.

AK

Maybe this could be focused more on technical stuff and the policy stuff could go elsewhere, but again, I'm happy to take feedback on that and, in the end, we're where we go and thus I think this discussion needs to be broadened, so I mean there are concerns expressed by people that are not technical and are not in the IDF. Maybe those are concerns that I'll not to be addressed at the IDF, but still it's something that we have to discuss.

AK

So basically, this was just a way to throw a stone in the pond and get some waves and see what I can get some comments. Thank you.

AD

How long we have here so and I think this does a reason. The introduction of this is a reasonably good job of like laying out the technical background. Iteration I, like the distinction between application and network selection and application and network resolvers.

AD

I think this the arguments about what's good or bad and the recommendations reflect one point of view. That is not a consensus point of view and I cannot imagine those getting any kind of consensus on ITF, so I'm, not only sure at the point of the recommendations is I. I can take it. You know you about the previous slide, like I can take issue with it bridge everything on that slide. um Much that's helpful.

AD

um I got my opinion pretty appreciate for Leah that this I'm eating, though I suppose that most informal so I'm happy to do here too, but yeah I, think you know um some of this. Some of these things I think go wrong. Some of these things, I just go fight EF, but I. Don't don't I, don't think. There's any like I knew the idea that the private is gonna come up for like a set of recommendations that like say, for instance, that applications and like shouldn't, like the resolvers like a non-starter yeah.

AK

By the way, I didn't plan to discuss the substance here, because it would take like two hours, I guess it wouldn't lead anywhere I. Think at this point in time the feedback is really what you were doing, something what could be in scope here. What I.

AD

Think you should trim this down to I think this is a reasonably good layout of like the solutions, but in space and like the you know, the things that might be making people upset, um though, as I said, meaning um frankly, any such document would also have to like also cover the things that are making.

AD

People want to deploy that precisely like there's a certain set of behaviors on the network that are causing people to want to deploy, applications or resolvers that do not get the resolver choice from the network and like if we're gonna have a documents. Gonna have any having exists, will surely have to cover that as well.

AK

I

File so I agree that I heard I think that this seems to be a yeah. It's a tough, been written by somebody who has a problem with doing what we're trying to do. I think and, let's not to say there are no such problems, but it's not kind of it doesn't seem to me to be to be written as if it's finally out and a you know an objective set of technical things that might be in a BCP yeah. So I think this. You know we had some discussion about, though, and so on.

I

I hope the is gr. Gonna use their their smarts to figure out venue for that discussion. Nothing should be done with this accepts ignoring it until that discussions happen and there's some more objective. Analysis done, I think.

M

Martin Thompson I mean maybe would take a little issue with the with the actual implementation of the attempted balance here. One one suggestion that I would have perhaps is find someone who's planning to do this and get them on as a co-author, and you might have have a chance of getting somewhere.

M

One of the problems with this sort of approach to dealing with this situation is that it is very much like throwing stones and one of the advantages of coming to a something like this is that you can work with with people on the other end of the of the debate and try to negotiate a situation where, where you have that that balance and I think this is a long way from from being in that place, but I appreciate the attempt and its really good to see that the the the list of concerns being articulated, because I think a lot of the problems we've had in these debates is that none of there's always one more thing that pops up and someone's people are debating from a position of ignorance.

M

More than anything else and I think this has done a lot to enlighten things. The fact that we haven't had the other side of this is is a big big gap and I think we'll continue to have these long mark lines. While we have that gap, yeah.

AK

If I may, by the way, I of course, I would be happy to have someone with different viewpoints to join me inside, do a more balanced write up and I was also wondering whether I could be better just to not to have any recommendations and just to have write-up of the issues which could be maybe a starting point for subsequent discussions.

AL

Mayor I'm, a bit surprised by the choice of this specific example that you give after the list of issues the one with applications doing dns, because it's something that is completely unrelated to privacy. So the question is this in deep rift. Chatter, then the answer is very simple: no, it's not now for the rest of the of the issues. I, don't think there is well. The list is very long. Most issues are completely unrelated on for the question is this in the Mandate of the IETF? The answer is, it depends.

AL

A few are fully in the Mandate of IETF because they talk about protocols. Some are partially in the Mandate of IETF constants applications. Doing the ordinary solution is something that we we could document this. We could document the consequences. Flag may be the risk, but we cannot mandate a specific behavior from application, so it's only partially on some are really not in the Mandate of IETF on sometimes lead I mean asking for consensus is completely unrealistic with some of this recommendation, you mentioned in one slide, no two alternative routes whoa.

AL

This is a very long discussion in a idea from other places and I'm fairly certain that we will have no consensus on this one. So my suggestion is to split this in manageable issues. Stop the laundry list report with everything I can think about Doh doh-doh dns in the real world on try to to see for each issue. If there is an issue most of the time not everybody will agree.

AL

There is an issue on what the IETF can do change the protocol document, a problem, but do it it super issue and not with long list of unrelated stuff.

Q

Sorry to consume, firstly, thank you for this document. I think it's a really good starting point for a discussion. I think it's written in a really balanced way. I have two comments to make about it. One is that I think if we're going to go into this problem, space I actually think it's a two dimensional problem. We have different classes of clients and they can be human users and they can be applications.

Q

And then you also have the network context in which that client is and I think the choices that get made are actually a decision of both those faxes. So in theory we could expand this out across the other dimensions. So that's one comment to make about how we can gather all the information in one place.

Q

The other is I wonder if this document might benefit from slightly restructuring in the same way as we did with the BCP, which is for each scenario, identify the threats and then have three levels of mitigations around the choices that you make I would have to reread it again to see if it really could fit into that model, but that might be another way to to give it some flexibility.

N

Watson I must confess to only having briefly read it I think the concrete recommendations that were made seemed fairly acceptable. I'm, not sure why people I disagree and people are disagreeing about that part. I do think document bounds, but I also agree with sevens point that this is a broader issue which which is being decided upon where the forum will be for all the DHS trees. I've been raised. I think this document is squarely going to fit they're, not here.

AK

Yeah well, by the way, I start to think the same, especially after what I heard of the site meeting so I have no problem. If that's the conclusion, and of course the attempt was to try to have I mean just description.

Q

So I'm sure not all these.

AK

Issues pertaining to privacy, so if there.

Q

Was another place when.

AK

The discussion can be brought up because I think that, in the end, the problem, however, is that some things that give you more privacy give you less of other things and some things that alleviate the concerns and other things will give you less privacy, and so it's not so easy to separate that the discussion.

AK

So thank you anyway for the comments and the invitation for people that want to be caught or so, especially with different points of view, is still open. So, even in the next few days, if someone wants to join.

AK

C

You, yes, my martins talat was perfect. If there's somebody who wants to join him on that from the other side, that would be really great I. Think your.

S

Hey morning, everyone so I'd like to try to find a way to be able to kind of separate the requirement for dot from DNS SEC in some way, so basically for what would happen within secret delegations and I, like also to have some proper signalling that we make this same so I mean both get a second dot. Basically address different things.

S

Everybody here we know yes, I will give us integrity of the content that was given to us, but there is no privacy there, while dot, on the other hand, will provide a privacy link to the peer we're talking to you, but the data they give us may not be the actual right one so Stephanie's draft about when you started detailing dot from missile betrothal Eve server mentioned using TLS a in that case.

S

Basically, you will go and get a TLS a record for the name server and their underscore HTT, three dot, NS called TCP dot, name server, and then either you get the full certificate or the spki, and then the resolver can actually validate that.

S

So the authentication stay within DNS, which is a property that we may want to have. It was no cloud provider. What is called cloud provider here says is essentially suppose you get the zone on an example would come, and they may use example, dotnet and example, dot all to serve the to solder zone, and there may be a totally total disconnect between who the donor is and who's the name servers owners up each name server can also end all its secrets on its own so like.

S

If the if the example that made name server wants to change the key want to rotate it, they can do it and they don't have to involve it on there's a longer Dennis is required, but it's only required at the name server level. So if example.com is handled by example, dotnet and org, the example.com itself doesn't need to be signed, and he does involve an extra query. What was mentioned early on when it comes to discovery, then you will actually need to do an x-ray query here to find that the cheetah cell record exists.

S

Another thing that comes to mind usually is to use the API and the x.509 certificates in this case. Basically, you will just connect to the name server and you will get a certificate validates against the the host name. That also works for cloud provider case, because everybody handled the uncertificated and- and the thing is in this case- DNS SEC is not required.

S

There is no extra query because you get the circuit directly, but there is also not you know that that is actually supported in the first place, so you could easily block 8:53 and essentially you make make it look like the the server doesn't handle dot and there is a reliance on the white PKI, which is something that we may or may not want to add so I I started to think about maybe alternate ways.

S

We could do that and I thought about the DSP ki, which is like GS, but for the SDK like the a rough idea here is, basically, you will have a new record type in the in depends on that will contain a hash of the spki of the name server.

S

It also relies on the fact that the name server, the parent name server is actually the TLD in most cases is actually just SEC enabled. So this way you can write get that value.

S

The if you here is pretty much. It doesn't really work well with with cloud providers, because you got you got this DSP ki record. That will say: oh the we support dot, but then you may have one cloud provider that does support it and the other one that doesn't. So it's pretty much all of nothing. It's also these entities, external entities have to sync up: who is the zone owner to be able to make any updates on the.

Q

Other end, there is.

S

No extra queries: there is a signal that is supported and yeah. There is a need. The the cons are basically need when you are type and chilli change, but that started to also get some people mentioning that we could maybe overload the DES record type and basically have a new algorithm that will contain the SPK hash.

S

So this approach basically has the same trade-off said that this time there is no need for new, auto type and then essentially, you get into an issue where the zone owner is the one that can set value at the parents, but the nameservers need to be able to change to rotate, that's educate.

S

So maybe what not something that we could call deal nine so dog or whatever is we did so many of them, so one more, which is basically Diaz and in this case, instead of having the spki of the name server in the in that yes record, we will basically hash the name server name itself, and this way you can get a signal that the name server supports d-o-t. So that adds signal to the x.509 from before. But then, essentially, you see like the way to get issue.

S

Finally, this was just a hack ID that the ITF 103 hackathon, which was a DNS coverage like implementation, where you will encode the spki hash into into the name server. And this way, as you query, the name, the DNS record for for example.com, you will get the name servers and then you can get a signal. That's G ot support you. Then you get the ISP I hash. These fees and s records are not sign.

S

So whatever you get not be sure, and here I'm trying to basically recap everything together in some kind of traffic light type of things. Whatever is read, I mean there's no weights between these these columns here. So some things may be bigger blockers, the noses that's kind of where the trade off would be going, keeping in the approach.

S

What I hope is that is basically I mean the original DSP ki approach, like Maeda, made a few other people kind of bring ideas like the overloading GS and what we could do there and if it would be possible not if that's technically possible. I've also heard that operationally may be hard to deploy because of restrictions from the registrar's or from the way things are working at that level. But hopefully that's going to start. People are going to start discussing how we could solve that eventually, I'm, not saying there is any good solutions here.

S

There is going to be trade-off and there is not going to be one solution. That's going to fit everybody, but like we essentially have to try to come. Who is where we want to make some compromise, and this is basically open for discussion.

P

Paul Hoffman for your last row, spki named the red block under cloud provider. Support is only true if you use the algorithm you gave earlier folks had just suggested not to tie in the name who's there. Just the key at which point a cloud provider could do that, but it doesn't improve it a lot, but it does remove one red block. Okay, thanks.

J

But Joey I believe PIR. Sorry I've got a question because I hadn't read your draft before and I. Don't know much about x.509. So is this? Is it the case that every time an individual name server operator wanted role a certificate? For some reason, you need a change in the parent zone of every domain that used that name server, yeah.

S

The yeah I mean well in the x51, I case, no because you're just connecting to the name, server and and matching the the host name to the cert. But it's in the case of the GS PKI and the GS case. Yes, because you're basically hashing the spki into the parent. So that may need.

J

To be I mean I think, for example, in the org registry, the number of domains is much bigger than the number of name servers, so it suggests there's a lot of name servers. Small number name servers serving a lot of zones, potentially there's a lot of dependencies there and because name servers are not really live. Actors in the ecosystem, there's no real way for them to publish their information that other than you know you might.

J

For example, if you wanted a role certificate, you might have to go and persuade 10,000 people to all individually go and contact the registry and they're not going to and that's gonna break things degree.

S

Yet that's what was brought up.

N

Once I think there's two separate things that we shouldn't be conflating. One is signaling that you can do do T and the other one is authenticating, and so you can imagine just having a single bit field saying: yes, you can do do T and then separately, having a sonication I. Think x.509, like Tod signaling yeah, just doing x.509 doesn't give you that. But if no reason you can't mix that in with some DNS level, signaling or even remembering, which name servers support it.

N

There aren't, as someone suggest there, aren't that many names or without their so.

S

The kind of do 9 will help with that. You got the signalling, but that's from the parent you get the signaling, that's that's do t is supported and then you can rely on the explained. How.

N

Do you think more reading more about I think there's other ways to put in the signals as well yeah.

R

He's bring it up from the under maintenance. Hello pay, different I, Cardenas I, really like the as in do 9 I've done some experiments to figure out. If we can do those experiments, it turns out. Current resolvers are all compliance in that they go and secure on these unknown algorithms, except not resolver, which was fixed yesterday and Google Public DNS. Well. My ticket is currently closed as works as intended and I've Warren's attention. I see. Thank you.

S

Actually quickly so one of the issue in the tea lake hls a case is, you can get some signaling and basically have to fall back to to DNS over 53, and then you could find that there is TLS I, recalled and know that they do. Does. There's also the issue that essentially, you need to do some probing, but we could also think about ad s record that does signal that the server is supposed to do. Cheerless a.

AA

West heard occur is a the DNS ecosystem. Has a miserable history in keeping parent children synchronization issues in check and I would even so badly to the point of I would argue anything that requires a child update. A parent record is a non-starter and it's a real problem, and you know, unfortunately, that might mean you need extra queries. You know is, for example, but a lot of those solutions have parent transit, synchronization issues and we suck at it. Yeah.

S

This is something I put actually in the case of the geo-9 util. At least the zone owner will need to update once to say that their support DNS D s over x509, but then there is no need to update that as the name server doing your date. So that's kind of trade-off that may be fine. Yeah I want you to bring those different, IDs, I think the the table here should be. He may be a bit more granular and they should be also different, shade of red and and doing.

O

Yeah they become I mean the the parent kind of child thing was point out enough, I mean that's really. A non-starter also involves registrar's writing. What have you I think? A solution has to be sort of somewhere at the child's level so that the child can decide and it has to be the intersect period. I mean we didn't do linear sect for years, without kind of now doing something that doesn't required.

E

The next may offer something that came to my mind just just a moment ago. I, don't know where that has been discussed would be an even a zero option and the additional section gets returned to the client, oh good, for a fella security implications that.

S

Can be intercepted in and jobs that could be intercepted and dropped right.

S

All right, thanks I mean you know, bring up your concerns and new IDs on the mailing list. I really want you moving forward. I rather liked to have more inputs to be able to try to find out where, where the trays are suited should be Thanks.

C

This appears to be our last talk for the day, so.

AM

I'm through I'll be talking about bootstrapping the trying to discover locally provided ego-t and do it source.

AM

Liquid problem statement on why we need to discover the locally provided devotee and the users and then the solution review and the privacy and security aspects of it.

AM

Three, if, if an enterprise network, an endpoint is configured to use public dns server, then it breaks, readiness and it also blake's a local resolution and may or may not harm a CDN localization to locate SVD and closer to the user geographic location.

AM

The bigger problem being the network security services deployed in the enterprise network cannot act on the encrypted DNS traffic to block malware.

AM

Today, what enterprise firewalls are doing are basically putting up a shield rules to basically drop any traffic going on port 853, and they are already identified a bunch of public key with servers and blocking access to those domains.

AM

These domains are categorized as proxy or analyzer, and they block that the it has it has both security and privacy implications that what it would cause is if the endpoint has chosen strict privacy profile, the endpoint can no longer get DNS service and cannot access internet right, and if, if the endpoint has chosen opportunistic privacy profile, it would either fall back to clear text or end up doing unauthenticated encrypted connections.

AM

Both these scenarios have serious ramifications on the endpoint security and privacy, for instance. If the dns traffic is successfully blocked, then it could result in pervasive monitoring.

AM

Typically, enterprises may have parameter security, in which case an internal attacker can modify the DNS response to point to a malicious soul in case if the Tod, which traffic is not blocked, then split, DNS may not work and the network security services may not may be unable to block the malicious Isis to malicious domains and further, if the IOT manufacturer is providing I woulda firewall rules based on domain names that cannot be enforced on the network security service.

AM

So what we are, what are you trying to propose in this draft? Is a mechanism for the endpoint to bootstrap and discover and authenticate the local. He provided a do T and D voiceover and solve the problems that have previously listed.

AM

The assumption is in an enterprise network. If you bring in lon MDM device, MDM devices can easily be bootstrap to trust the locally provided, devotee or device. So this is a case where you bring in your own BYOD device into the enterprise network, in which case you know the credentials to authenticate to the network. So you basically discover and authenticate the EC server is T's enrollment or secure transport, and then you are basically authenticate the EST server using a peg scheme.

AM

In this case, I picked argumented pick scheme, basically TLS SRP to authenticate the UC server, and once the authentication is successful, the endpoint can fetch the CA certificates and identity certificates, which is the DNS server certificate from the EST server, and what we have done is introduced a new SR SRV ID record, basically, so that the client can identify among all the entity certificates. What is the DNS server certificate.

G

Gender condom word: can you just back up yeah through that side? Why is there a CA certificate involved in this sorry, why why is there a CA certificate involved in this? The.

AM

G

AM

The enterprise's are such.

G

But why do we need a look? Why do we need a educate.

AM

The DNS server no.

G

AM

G

Is in the local DNS server just have a normal certificate that doesn't use this year. Many.

AM

Of the enterprise's, don't have public comments, physic.

G

So is the is the expectation that this CA certificate will be added to a generic root store, or that will be specifically just a.

AM

Name, restricted see it just for authenticating the local provided services. It.

G

Is expected to not be it's.

AM

Not supposed to act as a TLS proxy to look into the internet traffic, this.

G

Strikes me as room for implementation error. Yes,.

AD

And that's what we're trying to it right so like whenever I see like a presentation, this starts with some likely, however acquire means, and then it starts like this, like designing security protocols, I got kind concerned. Can you like tell me what is the what it what it, what what? What information is this supposed to be establishing for me like what what like, like I I, brought my client, it's like getting a bunch of Network messages like what information it, what it, what is the information I'm supposed to come away with, so.

AM

You just connect to an enterprise network and, for instance, like you, get a message saying that I cannot use my public do HR DoD server. Then what option do we have today so to either it's fallback to clear text right? So this is avoiding that option that you can have a secure connection to the enterprise provider, DoD device server, okay,.

AD

So I joined the network, I guess the messages that say sorry. No button no default like dat server on. Please go over here right, yeah. What what? What information? What? What is the security information that leads me to believe the message go over here is valid sure.

AM

So this information is going to come from an authentic source because you know that that est servi authenticating the used is over right but using the credentials with the est server. Okay like unless you authenticate the UC server you it's a network provider, DHT server, it has the same, it should have a representation of you, username and password. So it's it's. It's talking to Triple A server hosted in the enterprise network. So it's a trusted element within the enterprise network. It's not some character who is hosting the e so.

AD

AN

Yeah I I think the the question like if you envision, like the genera Macbook I, plug-in into some random Network like there's I, feel like there's a behavior switch between like generic public network behavior and managed enterprise network behavior. Are you presuming this? This is like a managed device, yeah yeah. So what yes? So the question is like: how are you presuming the client figures out that it needs to be in managed enterprise mode as opposed to generic hostile Internet mode?

AN

Are you presuming that there's like some switch or some device management platform there that the like, yes, music,.

AM

Choice basically, when he switches to this enterprise network, he can have a choice whether he wants to use the enterprise provided server or not. It's.

AO

A choice for the users I mean he can always forget. Ok, ok, let's get it back like I.

AD

My first day at Cisco I, come in I've got like my iPhone I. Don't so why don't you just MDM in the name of the server I'm.

AM

Talking about, if, if it's MDM, it's pretty easy to manage, we don't need this right. Let's make it very clear right, I mean if it's MDM.

AO

You don't need this mechanism is, but like he.

AD

Just for me, it's not my junior device so like so. Why can't? Whatever? Whatever thing that imprints device implanted with an email, server, yeah.

AM

AF

Could this is the thing that imprints the device?

AF

No, it doesn't happen at Starbucks. Okay, this is the thing that imprints the device.

AP

AF

I I don't know I, don't know why we can't do it at Starbucks, except that we haven't degrees and.

AM

Norm long ID manage the others that they take to this office and I want to login to Cisco. So that's.

AF

AM

AF

In that context, how do you get the coyote toh trust anchor so that you can get DNS right.

AD

Okay, um I again, it's not really clearly why he's can't have like what PGI certificates um so, but ok, fine, so um I.

AD

So is: is there? Is there a? Is there a? Is there a mechanical wire communication path? Yet at the point at the point where this starts, is there a wired communication path with some trust and trust information on the client or not answers no answer, always the password. The.

AM

User has already authentication to the network. This is the next step after that.

AD

Yeah yeah like how, like, like, like I like I'm, trying to jam like what like well I, thought it was. The scenario is the scenario is that this is a device which already has a management platform that is communicating with it or not. So then understand like okay.

N

Hi, what's in here, why are you using SRP for this?

N

Its DNS SMP I, know there's. The thing is I believe that that version of RFC is a version of the protocol, which has a two for one password guessing attack. There's also issues around the password hashes. They recommend a lot more Indies to be there, security considerations and I'll. Advise you to wait for a see if RG do actual or TLS working groups to have a modern cake. um Something like opaque could probably even remove a couple rounds by sending information you want. Yes, yeah.

AM

I'm following the working see FRG, so this was something that was available and open. Sister said for me to prototype, so that's I'm.

N

Aware it's available open as a cell. There have been history of issues here, so I would strongly advise you not to use that implementation. Okay,.

C

Stephen Farrow and then Warren and then Richard Barnes is the last person in line so Richard stand there you'll be the end.

I

Steam file I share Decker's puzzlement on this one. Would it be fair to say that you're, a bunch of people who are used to dealing with EST and you you already had a hammer, so would that be fair or unfair? Yeah everybody at once use EST. So all the time, yeah right, yeah seems weird to kind of use that kind of enrollment kind of model for to try and solve the problem of issues with, though, come up by passing local policy. That just seems like a really weird texture. I do.

AQ

So one kumari google, I think, just like steven and Ecker I'm, very confused in the serve deployment model. I get the I arrive at business with phone, and it helps me enroll in this. What I do not understand is how the same thing can't happen at you know a Starbucks or something like that right. How does my device know that this is one it's supposed to enroll with and that's okay and reasonable, and that other one isn't and I think that that's the root of a lot of the confusion, yeah.

AM

I mean I: don't want to do this procedure if I walk into Starbucks, but I want to do it. If I go into my enterprise network right, but.

AQ

I work, but but how do you know that that's the good one and talk about.

AM

That, if you can give me a second yeah sure.

AR

Part is my dad, so this problem is basically orthogonal to the VPN client that connects remotely to network and and also needs to convey some DNS information and what is trusted not- and in that case it's the easy case, because you actually have provision and pre-installed a trust relationship between the two parties and even there I spent for a ETFs and and and some interesting long-term quality time with ekor on getting split.

AR

Dns draft out there at which is now an RFC last call I strongly recommend you read all the limitations that are enforced on us to limit these kind of scenarios where you just take over a DNS server, so that you don't raise as much time as I did in getting people happy here about reconfiguring their DNS on the fly. Yeah.

AM

I'm following the deal IPSec.

Z

Yeah thanks Matt pound set. Could you actually back up to your problem statement slide yeah that one so so I mean I'm going to observe that I'm, actually on the opposite side of these enterprise case argument as a lot of the privacy people who are here in in that I think we need to solve the enterprise issue, but I think you're, starting from a malformed problem statement, which might be part of the reason why everybody's confused so so network security services can act on dough or rather don't need to.

Z

You know to find the right way to phrase this so that it covers both these cases but network security services, don't need to treat dot and doe differently. Necessarily the reason they're different. Is that, though, is designed to design to bypass that sort of thing right, so conflating them in in that way is is problematic number one in that we don't actually want to. We don't want to prevent people from using dot and oh, we want. We want people to use our dot and oh alright,.

AM

Yeah I'm just saying this is what is happening in the enterprise firewall world and I'm, saying rather than and today right, entire mechanism is causing the endpoint to fall back to clear it. It's because.

Z

AM

Reach and I'm saying this is a better proposal than what is happening today, right.

Z

Right but but the the conflict here is between the the user, who either trusts DHCP or they don't and if they don't then they're treating the network is hostile and between the network administrator. Who who looks at the application as either they accept my DHCP data or they don't, and if they don't, that application is hostile and the you're not going to solve.

Z

That second case through configuration and in the first case you're not going to solve that through more management configuration you have to solve that through some sort of other trust relationship which so so you need. You need prior trust, which basically boils down to the end. You, the application, is either going to accept DHCP or they're going to manually configure something with some kind of prior trust agreement and so yeah, so I think I. Think.

Z

However, you approach this, because the problem statement doesn't isn't quite right for what's actually going on you're gonna wind up with something that that nobody really gets. Okay,.

AN

Richard Branson Cisco, so I think.

AN

What we have here is a tussle, so I mean I. Think to your credit, you, like I, think you have accurately described the state of the art in terms of where we stand in this tussle. I. Think the challenge I'll be brief, because I think a lot of people have said this pretty clearly like we do I think there is a use case. You're like there's a pony somewhere in here.

AN

The trick is like figuring out exactly where in this use case space, there is there's you you haven't you you land in a territory. It's not already occupied right, because we understand two cases pretty well. We kind of nailed down two ends of the spectrum. We understand the totally unmanaged device that certainly whatever the hell it wants very well and we understand the managed device with an MDM platform to this explicitly configured by the owner of the network. To do the right thing.

AN

We understand those two cases, I think there's this ambiguity of like where you know, if you clock down somewhere in the middle of this weird like you, the network is trying to impose some control and there's a need to opt into some like how do you you know and up in that situation and not gonna fall over into one of the others so like putting some bounds on the situation, would help and maybe like thinking about what the user experiences you're trying to create what would be helpful sure you're.

C

Like two minutes left sure.

AM

So after the hardiness ovals are discovered, the client can do ns any meteor, look up to figure out the protocols being supported by the local Sol and then the order of preference provided by the DNS server administrator for DNS over HTTP, the existing working group draft in Rd, which can be used to discover the URI template.

AM

The client can then use the explicit trust or downloaded from the HT server to validate this associated, we're considering adding a new privacy certificate extension to basically convey the privacy policy with regard to the DNS server. What's it gonna do with the data, especially the PA data, just like the public servers are giving you policy. So this is gonna reflect the we see policy of the local dotd where server so that the user can make an concentrate choice, whether he wants to use this locally provided a devotee devoid sir or not.

AM

The xplit trust can also be used to validate other readiness of cyclic ups that happen within the local network and user. Just needs to I mean I, don't want to enable this in an every Network. So I go to a network where I work day in and day out and I know that hey. That network gives me network security and privacy and I want to use that in those networks only and if the user trusts the network's, then the user can enable strict privacy profile.

AM

Unlike the today's configuration wire user typically goes by a default, opportunistic privacy profile which causes him to fall back to clear text and any further comments insertion. So thank you so.

B

How many people have actually read this document.

B

Of those of you who have read this document, how many of you think this is actually in scope for this working group.

B

AN

Two seconds Richard yeah I mean without looking at the Charter. It seems like the this group has done some thinking about discovering you know, DNS servers that provide you know these security, enhanced features, and so to that degree it could be in scope, but I, don't think we understand the use case here. Quite well enough, so to say one way or the other, but with with any finality is whole.

B

Lot, Mart is very still in the room. No.

C

M

Good yeah, none Thompson. This has got some parallels to the work that polls were doing for discovery and doe.

M

It's a little unclear what we have a two minute lock and it also could be a completely different mechanism and I suspect that we'll need to understand the requirements a lot lot better before we can decide whether this is even remotely the right mechanism. This is a finding mix of acronyms. From my perspective and I can I can.

AD

Imagine a number of.

M

Solutions that have simpler but I, don't know what the requirements are. Alright,.

B

So in full disclosure I was calling out berry because he and I actually had a conversation about some of this discovery and in how we're how he wanted to deal with it from a you know, from an IETF perspective. So for those area directors who were still in a room, Oren Eric anybody.

L

Else so Sean no.

B

Not Sean no, but if you guys can help coordinate that effort with the with the different working groups related to the DNS over pick your favorite transport protocol, and let us know that would be great all right. We are now three minutes over unless somebody has something critical like your hotel room is on fire and you want to let them know we're.

C

Done and the ITF is over I think this is the last say.

D

C

You for sticking around so long, we'll see y'all Holly in Montreal.

AS

C

We're the blue sheets can hope. I see him just leaving back there. I'll come get him so.

AP