IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 12 May 2020 15:38 UTC

Return-Path: <stephane@sources.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EB3A3A0B3F; Tue, 12 May 2020 08:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epUaDK7IfwMD; Tue, 12 May 2020 08:38:09 -0700 (PDT)
Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 557C83A0B38; Tue, 12 May 2020 08:38:09 -0700 (PDT)
Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 5B70DA027B; Tue, 12 May 2020 17:38:07 +0200 (CEST)
Received: by mail.sources.org (Postfix, from userid 1000) id 590C5CB75F; Tue, 12 May 2020 17:33:45 +0200 (CEST)
Date: Tue, 12 May 2020 17:33:45 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Christian Huitema <huitema@huitema.net>
Cc: Sara Dickinson <sara@sinodun.com>, Eric Rescorla <ekr@rtfm.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Message-ID: <20200512153345.GB13200@sources.org>
References: <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com> <CABcZeBPP6J=a=hW6BLcMnKawupa3RjjpYAzgZ317=ryLy39n+A@mail.gmail.com> <8CEFE3CB-A88C-4BBC-95B8-9850142DB5EE@sinodun.com> <CABcZeBPF41eq-HYXdYScx7bqYyUO7-oH6zWKqj7Ka23u8x_E4A@mail.gmail.com> <ACA9854E-00B7-4776-A850-E5069C672121@cisco.com> <CABcZeBOxN7iNTLFUw7JDc4ZGH_u4awys3g52de29CuOyQv2JUQ@mail.gmail.com> <C8B168D0-F719-405F-892F-14573A7C568D@sinodun.com> <CABcZeBPGAgqSPKWXKaL6kK5CYzgK+RmwFrMwhc6ED7aGnV_ayA@mail.gmail.com> <8AB227E2-F968-47C4-9EB6-40A988263892@sinodun.com> <4fc44293-cdd9-24b7-cf26-1451a3652f73@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4fc44293-cdd9-24b7-cf26-1451a3652f73@huitema.net>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 10.3
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/8TWlayR7vjucNOz-AR9oBJaWSnM>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 15:38:12 -0000

On Mon, May 11, 2020 at 12:35:11PM -0700,
 Christian Huitema <huitema@huitema.net> wrote 
 a message of 294 lines which said:

> The paragraph in section 5.1 seems to imply that embedding a
> recursive resolver in the end point or close to reduces the privacy
> attack surface:

Note that it was already in RFC 7626 (which does not mean it was
right). I agree with you that there is a weakness in the reasoning (a
sniffer located between such a resolver and the rest of the Internet
would see a lot since a one-user resolver may have little caching).

I think the problem is that the RFC (in 7626-ter?) should better
separate upstream surveillance (before the resolver), downstream
surveillance (after the resolver) and internal surveillance (inside
the resolver). Using a in-host resolver decreases upstream
surveillance and suppresses internal surveillance, but does little for
downstream surveillance (because of limited caching). Using a remote
resolver with DoT or DoH to reach it may expose to internal
surveillance (if the trust in this resolver is misplaced) but
decreases upstream and downstream (because of caching) surveillance.

> At a minimum, I would like to see a forward pointer to section 6.2
> in the recursive resolver on device paragraph. A general warning
> that this is a trade-off would be nice too.

I agree and I suggest "As it is often the case with privacy, there is
a trade-off here. A local (to the user's machine or LAN) resolver
reduces the risk that the resolver's administrator read the user's DNS
traffic, but it does not protect a lot against later sniffing, done at
the place where the resolver talks with authoritative name servers."

> I found the discussion of application embedded resolvers bizarre.

See <https://mailarchive.ietf.org/arch/msg/dns-privacy/ZATyqXQ6ccNHTqsMpbq__3a72WM>
I know think that it is indeed on the wrong track.

> In a modern environment, the concept of host is very fuzzy. We get all
> kinds of special devices. We also get containers or virtual machines
> running inside hosts. A browser is in practice such a container.

I agree that OSvsApplication it should not be in this draft.

> As for section 6.1.1.2, I would scratch most of it,

I completely agree.

v2.23.0 | Report a Bug | By Email