<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:365101322;
mso-list-template-ids:86273612;}
@list l0:level1
{mso-level-start-at:2;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:409697202;
mso-list-template-ids:1966403654;}
@list l1:level1
{mso-level-start-at:3;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:1949458973;
mso-list-template-ids:-2102391786;}
@list l3
{mso-list-id:2082287473;
mso-list-template-ids:1605927828;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="en-CH" link="blue" vlink="purple" style="word-wrap:break-word;-webkit-nbsp-mode: space;line-break:after-white-space">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Thanks Casey,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Thanks for adding the comment regarding method #3 to the document – I think being more explicit there will help.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Yes – Qtype is an excellent additional basic element. Of course,PCAP will capture it all but I don’t think we need to get to that kind of detail / requirements for the TRT. They should
be free to use their expertise and tech stack to facilitate the analysis.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Any other comments from the group here or other discussion?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US">Matt<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Casey Deccio <casey@deccio.net><br>
<b>Date: </b>Thursday, 30 November 2023 at 23:48<br>
<b>To: </b>"Thomas, Matthew" <mthomas@verisign.com><br>
<b>Cc: </b>"ncap-discuss@icann.org" <ncap-discuss@icann.org><br>
<b>Subject: </b>[EXTERNAL] Re: [NCAP-Discuss] Workflow methods<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<table class="MsoNormalTable" border="0" cellpadding="0" width="1185" style="width:888.75pt;background:#F5ECCE">
<tbody>
<tr>
<td width="1175" style="width:881.25pt;padding:.75pt .75pt .75pt .75pt">
<p><strong><span style="font-family:"Calibri",sans-serif;color:#993300">Caution:</span></strong><span style="color:#993300"> </span><span style="color:black">This email originated from outside the organization. Do not click links or open attachments unless
you recognize the sender and know the content is safe. </span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Nov 30, 2023, at 3:50 AM, Thomas, Matthew <<a href="mailto:mthomas@verisign.com">mthomas@verisign.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Thanks for bringing this discussion to the group. You have some good points in here that need to be teased out in the text of the document. Risk, as you mention, is a bit vague in our denotation; however, I would offer that as you laid
out in the email, risk is better described in the multiple dimensions of user/system disruption and data disclosure _combined.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I understand that, and I agree that everything needs to be considered holistically. What I meant about separating these two things (user/system disruption and data disclosure) is that if we know what amount of data disclosure and collection
is acceptable and all other things (user/system disruption) are effectively the same, then it seems to me that we should enable the disclosure of and collect *that* level of data all the time, for the sake of data completeness and consistency. Internet data
analysis is already hard enough with "complete" data; purposefully making it less complete makes it even harder to analyze.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">However, ithe group consensus might be that data collection depends on the TLD string and might vary from string to string. That is what we need to find out.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US">In terms of data collection, I don’t believe the DG was saying just collect “counts” by method (I’m not even sure what you mean by method here). </span><o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">By "method (3)", I was referring to reject-all, specifically this sentence from the "Sections 1 - 3" doc, section 3.5.3 ("reject all") [1]:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"This method supports the requirements associated with data privacy as no data is collected beyond a record that a connection was made."<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It could just be that I'm interpreting it wrong, and additional clarity needs to be added. I am happy to update this, but I didn't want to make edits on what might be considered a controversial point, without understanding the consensus
of the group.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In any case, for the time being I've made a comment in the doc.<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US">I’m pretty sure the DG was suggesting the client IP, port, etc.</span><o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Of course, that would be extremely useful :)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Could you offer the group what fields in each of the four would be? I’ll offer a strawman below:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-top:0cm;margin-bottom:0cm;mso-list:l2 level1 lfo1">
<span lang="EN-US" style="font-size:12.0pt">HINFO – This is DNS data at the authoritative name server. The most useful fields are likely to be the full Qname, timestamp, the source IP of query, protocol. Maybe some other fields might be useful but those are
likely the “big” ones. This would be recorded for every single query.</span><span style="font-size:12.0pt"><o:p></o:p></span></li></ol>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Yes, if you add query type, then these are the basic fields we would want. Although, the data might be most effectively collected if something is used that has some precedent, like full pcap (used with DITL) or BIND logs. Of course, those
would include more information that are beyond the "essentials", but that is okay by me.<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo2">
<span style="font-size:12.0pt"><o:p> </o:p></span></li><li class="MsoListParagraph" style="margin-top:0cm;margin-bottom:0cm;mso-list:l3 level1 lfo2">
<span lang="EN-US" style="font-size:12.0pt">CI – Same as data fields as #1 above.</span><span style="font-size:12.0pt"><o:p></o:p></span></li></ol>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Yes.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<ol style="margin-top:0cm" start="2" type="1">
<li class="MsoListParagraph" style="margin-top:0cm;margin-bottom:0cm;mso-list:l0 level1 lfo3">
<span style="font-size:12.0pt"><o:p> </o:p></span></li><li class="MsoListParagraph" style="margin-top:0cm;margin-bottom:0cm;mso-list:l0 level1 lfo3">
<span lang="EN-US" style="font-size:12.0pt">Reject All – Now you have two data sets. You would still have the DNS data from #1/2 above as well as the connection attempts on the honeypot server. That second server I would expect to log very similar data – timestamp,
protocol, port, source IP. But those connections are from the impacted end system, not recursive resolvers.</span><span style="font-size:12.0pt"><o:p></o:p></span></li></ol>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Yes, this sounds right to me. See also my note about collection methods above.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<ol style="margin-top:0cm" start="3" type="1">
<li class="MsoListParagraph" style="margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo4">
<span style="font-size:12.0pt"><o:p> </o:p></span></li><li class="MsoListParagraph" style="margin-top:0cm;margin-bottom:0cm;mso-list:l1 level1 lfo4">
<span lang="EN-US" style="font-size:12.0pt">Application layer – I think here you would collect the DNS data again from #1/2 as well as the same #3. I think us getting overly prescriptive on exactly what or if application data is logged here is not needed.
Since we have long said each name collision is its own snowflake, the TRT should have the flexibility to pivot/adapt here as needed.</span><span style="font-size:12.0pt"><o:p></o:p></span></li></ol>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think what you are saying is to collect the same data as #3 (which includes DNS data from 1 and 2, of course). If so, I think that's right.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">(To be clear, I still do not find this an acceptable option at all because it allows application-layer data to be sent, but I'm nonetheless stating what the data collection should look like, should this be a thing.)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Let’s please try to continue this thread and have an active and productive discussion on the mailing list so that this information can get incorporated into the document.</span><o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<p class="MsoNormal">Casey<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">[1] <a href="https://docs.google.com/document/d/13SQnZt1HHeD9i1cSds-kj16mxRQgxp6hpb2K1kLqB1U/edit?usp=sharing">https://docs.google.com/document/d/13SQnZt1HHeD9i1cSds-kj16mxRQgxp6hpb2K1kLqB1U/edit?usp=sharing</a><o:p></o:p></p>
</div>
</div>
</body>
</html>