As noted in RFC 8499, "Passive DNS" raises some significant privacy concerns. This is true even when client IP addresses are omitted. For example, the proposed format includes timestamps. An adversary who can record encrypted DNS traffic and can acquire corresponding Passive DNS logs could "join" the two datasets to break the protection offered by encrypted DNS.
I hope the working group will weigh the privacy considerations carefully when deciding how to proceed. --Ben Schwartz ________________________________ From: DNSOP <[email protected]> on behalf of Tim Wicinski <[email protected]> Sent: Friday, June 23, 2023 4:18 PM To: dnsop <[email protected]> Cc: dnsop-chairs <[email protected]> Subject: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof All Draft-dulaunoy-dnsop-passive-dns-cof was originally submitted back in 2014, and has had 10 revisions since then. https: //datatracker. ietf. org/doc/draft-dulaunoy-dnsop-passive-dns-cof/ Note that the format is now fixed, and there are several ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd All Draft-dulaunoy-dnsop-passive-dns-cof was originally submitted back in 2014, and has had 10 revisions since then. https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/<https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/> Note that the format is now fixed, and there are several implementations. We had asked DNSOP (in the poll we held)to help us assess the level of interest in it, and the responses largely put it moderately high ("Adopt, but not now"). It would be helpful to find out if this is still the case, as things have progressed since then: the format is now widely used, and so the format itself is basically fixed. As an example, the format is being used within the US government agencies for event logging and incident response[0]. One of two things could happen: 1: DNSOP decides that they are really interested, adopts and improves the justification / operational / supporting text, and the draft gets published as an IETF RFC; or 2: DNSOP says "No thanks, but we don't actively object". In which case the ISE (and Warren!) has a much easier time explaining why it's being published as an RFC on the Independent stream. . We will also ask for a DNS Directorate review. Feedback Welcome tim [0]: Because the draft had expired, and the USG cannot (realistically) point at expired IDs, they had to copy and paste it into an internal document: https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf<https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf> Page 15 is the table where they defined the Passive DNS Log fields.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
