Re: [Add] draft-arkko-abcd-distributed-resolver-selection

Vittorio Bertola <vittorio.bertola@open-xchange.com> Mon, 23 March 2020 11:29 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBC413A0762 for <add@ietfa.amsl.com>; Mon, 23 Mar 2020 04:29:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sa-gs3U7JpFm for <add@ietfa.amsl.com>; Mon, 23 Mar 2020 04:29:23 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B694F3A0763 for <add@ietf.org>; Mon, 23 Mar 2020 04:29:16 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 664C66A259; Mon, 23 Mar 2020 12:29:12 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1584962952; bh=X11AN7r3wAB/yVlLkz6IKBHj3voygsZA1yLYPDXbUcc=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=ih8A76OAeUt/zMom46S8OKvYD+b88E5JJex/Inv4EjCZzE92P/4EbAsZDh6Jv6nIn GjXk6eOlUFx1uXEAFXY1ndJmI/SlOeCa4daBieK7tgBFTNum6APVR3GUKZIrmLVbtr 9Q+vIkoPYjCK1MHrQsNx0VWrJMm1vdJgFZj6ElwSI7bJ0BJVDkYRZUaxIZi9uVD6ux HK/a/SFYzc6TAnQgm4aAAJdX/3AO4HFlM1Rvxvf1ti6ScdmlVJI9ur+S3SWlXdbiAd veMnZOxJ4kFkYGyhSsgG8zMZXFCCmZ0CjcHQT5VFVZ44teMIGXdoISHSjuo8CFj1Ko Y2sSH2HBFt9Hg==
Received: from appsuite-dev-gw1.open-xchange.com (appsuite-dev-gw1.open-xchange.com [10.20.30.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 5982C3C036C; Mon, 23 Mar 2020 12:29:12 +0100 (CET)
Date: Mon, 23 Mar 2020 12:29:11 +0100
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: ADD Mailing list <add@ietf.org>
Message-ID: <2042377301.3512.1584962952271@appsuite-dev-gw1.open-xchange.com>
In-Reply-To: <CA+9kkMBug-PfkJsQ2-cm5G-J+iynma2OJzYJ3AjM6Gpzg-fFkg@mail.gmail.com>
References: <CA+9kkMDvX7e0WkRMmJtf33GwMQQ1rAGny87UwneA6znCom_85Q@mail.gmail.com> <CACJ6M17rjhta9rqFHAJ_JaugRiCR7xvAChww0uO912-NayQwEQ@mail.gmail.com> <CA+9kkMBug-PfkJsQ2-cm5G-J+iynma2OJzYJ3AjM6Gpzg-fFkg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3510_1748275709.1584962952235"
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.4-Rev0
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/hlwO8vPTJExYT7W3PCan9cukJvo>
Subject: Re: [Add] draft-arkko-abcd-distributed-resolver-selection
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 11:29:26 -0000

>     Il 20/03/2020 22:23 Ted Hardie <ted.ietf@gmail.com> ha scritto:
> 
> 
>         > > 
> >         We then get onto the problem briefly mentioned in section 6.2, namely
> >            different resolvers might have different policies with
> >            respect to blocking or filtering of queries that lead to clients
> >            receiving inconsistent answers
> > 
> > 
> >     > 
>     If you put resolvers with different policies into the trusted set, that can happen.  If the resolvers are transparent about their policies, this seems less likely to happen, because you will put resolvers into the set only when you are both confident of their privacy-preserving behavior and that their policies match your desires.
> 
Assuming that "you" in your sentence is the end-user and not the client, it is hard to think that this approach can work in practice for the ordinary user; as a minimum, as suggested by other drafts, there should be an automated, standardized way for resolvers to describe their policies and for clients to retrieve them and match them against the user's preferences, without requiring the user to go through legalese terms & conditions every time they want to add/accept a new resolver into the set (though there might be a legal requirement that they do anyway).

In the absence of that, it would be likely that the user only went through the hassle of vetting and adding a new resolver for two or three times, which could easily frustrate the privacy properties of the concept and in fact bring forth more centralization and more opportunities for user tracking.

(By the way, the draft seems to lack a proper "Privacy Considerations" section, is it still in the making? That could be a place to record this discussion.)

In addition, the above approach does not work for adversarial filtering, i.e. the one done according to legal/policy requirements without the consent of the user, or that the user would even actively try to circumvent. Of course there are radically different views on whether that practice is good or bad and we should not reopen that discussion, but "inconsistent answers" is a side effect, not the key issue that would derive from a widespread adoption of the model discussed in the draft; so the draft should mention those issues too. The assessment in section 6 should be expanded to make it clear what the effects of the proposed model would be on currently common use cases for the DNS, like legally mandated filtering or security filtering by ISP/corporate networks.

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy