From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: dns-privacy@ietf.org
Subject: WG Review: DNS PRIVate Exchange (dprive)
The DNS PRIVate Exchange (dprive) WG in the Internet Area of the IETF is
undergoing rechartering. The IESG has not made any determination yet. The
following draft charter was submitted, and is provided for informational
purposes only. Please send your comments to the IESG mailing list
(iesg@ietf.org) by 2018-05-17.
DNS PRIVate Exchange (dprive)
-----------------------------------------------------------------------
Current status: Active WG
Chairs:
Brian Haberman <brian@innovationslab.net>
Tim Wicinski <tjw.ietf@gmail.com>
Assigned Area Director:
Terry Manderson <terry.manderson@icann.org>
Internet Area Directors:
Terry Manderson <terry.manderson@icann.org>
Suresh Krishnan <suresh@kaloom.com>
Mailing list:
Address: dns-privacy@ietf.org
To subscribe: https://www.ietf.org/mailman/listinfo/dns-privacy
Archive: https://mailarchive.ietf.org/arch/browse/dns-privacy/
Group page: https://datatracker.ietf.org/group/dprive/
Charter: https://datatracker.ietf.org/doc/charter-ietf-dprive/
The DNS PRIVate Exchange (DPRIVE) Working Group develops mechanisms
to provide confidentiality to DNS transactions in order to address
concerns surrounding pervasive monitoring (RFC 7258).
The set of DNS requests that an individual makes can provide an
attacker with a large amount of information about that individual.
DPRIVE aims to deprive the attacker of this information (The IETF
defines pervasive monitoring as an attack [RFC7258]).
The initial focus of this Working Group was the development of
mechanisms that provide confidentiality and authentication between
DNS Clients and Iterative Resolvers (published as RFCs 7858 and
8094). With proposed standard solutions for the client-to-iterative
resolvers published, the working group turns its attention to the
development of documents focused on: 1) providing confidentiality
to DNS transactions between Iterative Resolvers and Authoritative
Servers, 2) measuring the performance of the proposed solutions
against pervasive monitoring, and 3) define operational, policy, and
security considerations for DNS operators offering DNS privacy
services. Some of the results of this working group may be experimental.
There are numerous aspects that differ between DNS exchanges with an
iterative resolver and exchanges involving DNS root/authoritative
servers. The working group will work with DNS operators and developers
(via the DNSOP WG) to ensure that proposed solutions address key
requirements.
DPRIVE is chartered to work on mechanisms that add confidentiality
to the DNS. While it may be tempting to solve other DNS issues while
adding confidentiality, DPRIVE is not the working group to do this.
DPRIVE will not work on any integrity-only mechanisms. Examples
of the sorts of risks that DPRIVE will address can be found in [RFC
7626], and include both passive wiretapping and more active attacks,
such as MITM attacks. DPRIVE will address risks to end-users' privacy
(for example, which websites an end user is accessing).
DPRIVE Work Items:
- Develop requirements for adding confidentiality to DNS exchanges
between recursive resolvers and authoritative servers (unpublished
document).
- Investigate potential solutions for adding confidentiality to DNS
exchanges involving authoritative servers (Experimental).
- Define, collect and publish performance data measuring effectiveness
of DPRIVE-published technologies against pervasive monitoring
attacks.
- Document Best Current Practices for operating DNS Privacy services.
Milestones:
WG action announcement
WG Action Announcement
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>,
dns-privacy@ietf.org,
dprive-chairs@ietf.org
Subject: WG Action: Rechartered DNS PRIVate Exchange (dprive)
The DNS PRIVate Exchange (dprive) WG in the Internet Area of the IETF has
been rechartered. For additional information, please contact the Area
Directors or the WG Chairs.
DNS PRIVate Exchange (dprive)
-----------------------------------------------------------------------
Current status: Active WG
Chairs:
Brian Haberman <brian@innovationslab.net>
Tim Wicinski <tjw.ietf@gmail.com>
Assigned Area Director:
Terry Manderson <terry.manderson@icann.org>
Internet Area Directors:
Terry Manderson <terry.manderson@icann.org>
Suresh Krishnan <suresh@kaloom.com>
Mailing list:
Address: dns-privacy@ietf.org
To subscribe: https://www.ietf.org/mailman/listinfo/dns-privacy
Archive: https://mailarchive.ietf.org/arch/browse/dns-privacy/
Group page: https://datatracker.ietf.org/group/dprive/
Charter: https://datatracker.ietf.org/doc/charter-ietf-dprive/
The DNS PRIVate Exchange (DPRIVE) Working Group develops mechanisms
to provide confidentiality to DNS transactions in order to address
concerns surrounding pervasive monitoring (RFC 7258).
The set of DNS requests that an individual makes can provide an
attacker with a large amount of information about that individual.
DPRIVE aims to deprive the attacker of this information (The IETF
defines pervasive monitoring as an attack [RFC7258]).
The initial focus of this Working Group was the development of
mechanisms that provide confidentiality and authentication between
DNS Clients and Iterative Resolvers (published as RFCs 7858 and
8094). With proposed standard solutions for the client-to-iterative
resolvers published, the working group turns its attention to the
development of documents focused on: 1) providing confidentiality
to DNS transactions between Iterative Resolvers and Authoritative
Servers, 2) measuring the efficacy in preserving privacy in the
face pervasive monitoring attacks, and 3) defining operational,
policy, and security considerations for DNS operators offering
DNS privacy services. Some of the results of this working group
may be experimental.There are numerous aspects that differ between
DNS exchanges with an iterative resolver and exchanges involving
DNS root/authoritative servers. The working group will work with
DNS operators and developers (via the DNSOP WG) to ensure that
proposed solutions address key requirements.
DPRIVE is chartered to work on mechanisms that add confidentiality
to the DNS. While it may be tempting to solve other DNS issues while
adding confidentiality, DPRIVE is not the working group to do this.
DPRIVE will not work on any integrity-only mechanisms. Examples
of the sorts of risks that DPRIVE will address can be found in [RFC
7626], and include both passive wiretapping and more active attacks,
such as MITM attacks. DPRIVE will address risks to end-users' privacy
(for example, which websites an end user is accessing).
DPRIVE Work Items:
- Develop requirements for adding confidentiality to DNS exchanges
between recursive resolvers and authoritative servers (unpublished
document).
- Investigate potential solutions for adding confidentiality to DNS
exchanges involving authoritative servers (Experimental).
- Define, collect and publish performance data measuring effectiveness
of DPRIVE-published technologies against pervasive monitoring
attacks.
- Document Best Current Practices for operating DNS Privacy services.
Milestones:
Nov 2018 - Unpublished document on requirements for DNS privacy services
between recursive and authoritative servers (Wiki)
Mar 2019 - Submit draft on operating DNS privacy services for publication
(BCP)
Mar 2019 - Submit draft on DNS privacy performance metrics and actual
measurements (Info)
Nov 2019 - Submit draft on DNS privacy exchanges involving authoritative
servers (Exp)