IETF Logo Mail Archive

Re: [Add] ECS privacy concerns, alternatives?

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 25 April 2019 22:50 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8B9D12008A for <add@ietfa.amsl.com>; Thu, 25 Apr 2019 15:50:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IU_BkZQv0ptQ for <add@ietfa.amsl.com>; Thu, 25 Apr 2019 15:50:43 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 754211200C5 for <add@ietf.org>; Thu, 25 Apr 2019 15:50:43 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id d13so2081970qth.5 for <add@ietf.org>; Thu, 25 Apr 2019 15:50:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/QYDsQsMy0LMFI35qXObh/2ktuxJN/In+AKsetciYbE=; b=TAICJDW1UPiLvuJRNlXvmcXNquqvGBM82PGJGMq2cENsiwOjNlRhG1/M+Ujvv3tp1I FhtT5CzpZ4uyacmxTqZ6tlVXm9NdmwRz6/PoAdQw5vfN/1NSbwjmuS7yOIWq3y+VRzjm duYDEgqfeKZ4e71JGG6zX4jTWFzDskGCvj977Ub1Jg0rjIl0VdbezxJvb9iJqhrjcOFB KWzmqWib/Uq5ryCyARJmqYSos2Xfhog9eV49cvwqpxwyvX4rLnV8kDzbS+IN5lcSWOSh M5uxgHZbq1ys9zf8MXd7rH/aNstVqaBWSN/eJpmViGl9Ep64IAVBj8PSB1DtDZQPfRxa qOhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/QYDsQsMy0LMFI35qXObh/2ktuxJN/In+AKsetciYbE=; b=im4ALaiXTwN5JeUuL7UMtOrOlSDm4uFm/JEwxhW8IW+W1ZbfrByVKYxAdBakIBUwdE z+Wvcdw6G0gwq1bf65ZekgBUCJqFhkc9zOFIklyCOJDT7BWi49V68FaxwnP+xtypuFgI KT6LCQBGZWDm32KdJhKjdKi2U5eRvxPtmAM4VDzvF7qzU70B58Zd53+d/ELhD4k3uBCx 0XHDP3984PGUNIfVcApKT+mch5pEYBy5DTvVsg5K6wSa1G80b7oCzWyGWLIzK4b6yCKi lrdSKXskJW0Rtqf1eUDbgnOFJqOEOutuaX1fky5t7k9DWaKLzpz9FuYFLi7ODXKKTn5O tyLg==
X-Gm-Message-State: APjAAAVJxwJ/V2Cmh/W3vgcbe7meYHFG2IKcRqQHEIlTXwSfxzNvvTVo iG3FEGXsN3oqJI+Me7ZitLq2WI8PcP7atx+qth8=
X-Google-Smtp-Source: APXvYqwvQfX8p5/gnLG6WqBsLdUwhhDrPze2giEYsJ2Drak9n6+Um/VQ7Is99is8kcRIB6jyXgcp+6K6h5HXwZARD9E=
X-Received: by 2002:ac8:27b0:: with SMTP id w45mr34735954qtw.341.1556232642534; Thu, 25 Apr 2019 15:50:42 -0700 (PDT)
MIME-Version: 1.0
References: <CA+9_gVvWHUR5OFbBa9zf1+BSxcQNO8njKJEYp8FBt-=hJYESMA@mail.gmail.com> <CAAedzxr9h1PAo3Z0AUsDPo2CORrxkP0emr9KUX3osOPG21Ve-g@mail.gmail.com>
In-Reply-To: <CAAedzxr9h1PAo3Z0AUsDPo2CORrxkP0emr9KUX3osOPG21Ve-g@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 25 Apr 2019 15:50:31 -0700
Message-ID: <CAH1iCip6CvcfZSaQGs7C5Uk9eoSrBej59roHJUuGDS07M2sj+g@mail.gmail.com>
To: ek@loon.com
Cc: Puneet Sood <puneets=40google.com@dmarc.ietf.org>, add@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d8a3e8058762a5b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wXxgfIiBgqK7USKf92GuY0xy9LE>
Subject: Re: [Add] ECS privacy concerns, alternatives?
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 22:50:46 -0000

On Thu, Apr 25, 2019 at 2:37 PM Erik Kline <ek@loon.com> wrote:

>
>
> On Thu, 25 Apr 2019 at 14:06, Puneet Sood <puneets=
> 40google.com@dmarc.ietf.org> wrote:
>
>>
>> I think this can be solved by having the recursive resolver probe for
>> ECS support for a zone. If an authoritative nameserver serves a zone
>> that does not support ECS, it can respond w/o the ECS option
>> (https://tools.ietf.org/html/rfc7871#section-7.2.1). A recursive
>> resolver can use this as a signal to not send ECS to the nameserver
>> *for that zone* in the future. The recursive resolver would need to
>> probe periodically to handle the situation when the ECS support
>> changes.
>>
>> What am I missing here?
>>
>
> My recollection from the DPRIVE 104 discussion about TLS to the
> authoritative was that a non-probing method was considered preferable.
>
> Generalizing from there, I think folks want to minimize the amount of
> "probe and remember" activity that has to take place (no matter the problem
> domain).
>

I think there are two independent things that could/should be pursued: (a)
some way of signaling scalably about DoT/DoH support; and (b) a
sufficiently scalable probing method as a stopgap in the interim.

If probing is going to be done and remembered, I would prefer it be done
roughly as follows:
- TLS probing by IP, with support/non-support cached
- ECS probing done over TLS only, with support/non-support cached (to
minimize TLS usage).

The signaling in (a) should, in theory, be regarding *both* ECS and TLS
support, maybe as yet another delegation record (sibling to DS and NS). But
it's an ugly hack.

Brian

v2.23.0 | Report a Bug | By Email