This draft defines part of a DNS record. Can you point me to an example of an IETF document that discusses logging or monitoring for other DNS records? If there is a convention I'm happy to follow it, but I'm not aware of the IETF making any such recommendations in the past.
There are some standards defined for recording protocol data, such as C-DNS (RFC 8618) and PCAP (draft-ietf-opsawg-pcap). These naturally capture ECH-related data without modification. Other logging systems such as QLOG (draft-ietf-quic-qlog-quic-events) don't currently record details of DNS or TLS, so ECH would not affect them. There is a draft in the TLS working group for logging of session keys, specifically including ECH keys [1]. That seems potentially relevant to any use of ECH, not only uses that rely on DNS as discussed in this draft, so I don't see the need for a reference here. --Ben Schwartz [1] https://www.ietf.org/archive/id/draft-ietf-tls-keylogfile-04.html#name-secret-labels-for-ech ________________________________ From: Mahesh Jethanandani via Datatracker <nore...@ietf.org> Sent: Tuesday, May 6, 2025 12:17 PM To: The IESG <i...@ietf.org> Cc: draft-ietf-tls-svcb-...@ietf.org <draft-ietf-tls-svcb-...@ietf.org>; tls-cha...@ietf.org <tls-cha...@ietf.org>; tls@ietf.org <tls@ietf.org>; s...@sn3rd.com <s...@sn3rd.com>; s...@sn3rd.com <s...@sn3rd.com> Subject: Mahesh Jethanandani's No Objection on draft-ietf-tls-svcb-ech-07: (with COMMENT) Mahesh Jethanandani has entered the following ballot position for draft-ietf-tls-svcb-ech-07: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://urldefense.com/v3/__https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!Bt8RZUm9aw!-WaFR3Ft5MPZ3GuMwbTpK1O4HPG2pT-e9NtReLt_E412-mVLFWoETFiAj3xC4JS2s17oKnLPra0$ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-tls-svcb-ech/__;!!Bt8RZUm9aw!-WaFR3Ft5MPZ3GuMwbTpK1O4HPG2pT-e9NtReLt_E412-mVLFWoETFiAj3xC4JS2s17o5Jlk9qA$ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I want to thank Linda Dunbar for her OPSDIR review. In particular, she brings up this point in her review: >> Additionally, diagnosing ECH failures can be difficult due to the lack of >> fallback and visibility. The draft should recommend logging and monitoring >> strategies to help operators detect misconfigurations. > I don't believe we have any relevant recommendations for logging or monitoring. Any such logging would likely not be related to the DNS records, so those recommendations would be in draft-ietf-tls-esni or a later draft. I can understand Linda's concern. This document in particular, talks about how the client learns ECH configuration for the server and what its behavior should be given the ECH configuration. Implementors will therefore be looking at this document and not a later draft on what information should be logged. Is there no guidance that this document can provide in that regard?
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
