IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Sara Dickinson <sara@sinodun.com> Thu, 05 March 2020 13:14 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5913A146D; Thu, 5 Mar 2020 05:14:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GScaeLkh0I7a; Thu, 5 Mar 2020 05:14:03 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA1563A1469; Thu, 5 Mar 2020 05:14:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=mQLnKa5jbeR+XqPowFQw0+qo3cc/es4wrp4uYkVotzE=; b=dcU4iDSBOAJbKS46WnEAYL32sv AltqqlcxqlXBf2XIcWH8imhUv/0glWY2IE8Shaw//G7e60sF7TA/U4fDKinvo8Z2rs82l3RFBJ2e6 MR+9oqloe/wIbBiiZj6OhBvb1RPQPWXQjdoP820X/Sd6EnEa7z+KPgI9yfpEJQ/HoYNFTgvrZoYF8 sJ2zozfoi4VUMU+ZD7H1GFA1OoiH+p474HR3q+bMlBI0N5XRjKL1dCg30T+znIoFRL1NGHpA/1B8r gjqZia1P0VGAf5N13rpxa6L1iACBAn5qw9pPv+/3vgnSRxcNht5LnCEaq7TRtscK0dMyWV/v9yPss CqzJxTjQ==;
Received: from [2001:b98:204:102:fffa::2] (port=53429) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1j9qK1-0002Qy-Ah; Thu, 05 Mar 2020 13:13:57 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Sara Dickinson <sara@sinodun.com>
X-Priority: 3
In-Reply-To: <720884469.25298.1583235268827@appsuite-gw1.open-xchange.com>
Date: Thu, 05 Mar 2020 13:13:48 +0000
Cc: Eric Rescorla <ekr@rtfm.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A5AC1800-35E7-49C1-803D-6F1ACF1268EC@sinodun.com>
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com> <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com> <CABcZeBP4CknS=9Y96CqgykChg4H_jrgkaWmHPN4319+nXe=10w@mail.gmail.com> <CAH1iCiobuYitR26Hh0pbYpA_JZoB1a1iMyHJs1FAgW9GtOk56g@mail.gmail.com> <CABcZeBNa-OTEYjnL=+-F=WK3hZiOWmty1S=FC43Fr3CxuCPE_g@mail.gmail.com> <32D26638-2464-4E7B-8869-C65F773EF5F2@sinodun.com> <720884469.25298.1583235268827@appsuite-gw1.open-xchange.com>
To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/9aYf9pLufv1ET2QBF0RPbElA5_4>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 13:14:06 -0000


> On 3 Mar 2020, at 11:34, Vittorio Bertola <vittorio.bertola@open-xchange.com> wrote:
> 
> 
>> Il 02/03/2020 16:16 Sara Dickinson <sara@sinodun.com> ha scritto:
>> 
>> Suggest: 
>> 
>> "For users to have the ability to inspect and control the application-specific DNS settings in a similar fashion to the OS DNS settings, each application also needs to: 
>> 
>>    o  expose the default settings to the user 
>> 
>>    o  provide configuration options to manually override the default settings so that resolution is performed via
>>           * user specified resolvers
>>           * the resolvers configured into the system settings
>>           * the system resolver via conventional API calls
>> 
>> If all such applications are updated to use the system resolver, as described in the last bullet point, the device reverts to a single point of control for all DNS queries."
> I don't want to nitpick, but I'd point out that from the policy/privacy viewpoint what is important is which resolver is used, not (as long as it does not add any specific new privacy risk) the interface used to contact it - so the second and third "*" bullets are functionally equivalent and it would be fine if an application provided only either one of the two. 

You are broadly correct,  but there are some small differences in that for the second bullet point not all applications may offer the preferred transport (e.g. most browsers don’t support DoT but my preferred resolver might only support DoT) or config options e.g. to omit the User-agent HTTP header. It will also mean X different applications making X different connections to the resolver (which could reveal the set of applications the user has installed). Whereas if everything goes through the system resolver the device appears to the resolver as a single source of queries using a set of connections managed only from the system resolver. 

> 
> In theory, one could say that the two interfaces are not completely privacy-equivalent, since the use of the system API introduces one more party that gets access to data, i.e. the operating system - so one could argue that applications should bypass the OS to prevent it from spying over the user's DNS traffic, exactly like they do with the network. If this is what we want to argue, then we should remove the last "*" bullet. However, exactly as the network, the OS might want to exert some general policy over the user's DNS traffic, such as monitoring infections or filtering specific destinations, so I don't know if such a recommendation would be beneficial in the end. 


This is an interesting point! Note that a user may want to use the system resolver as a point to monitor their own traffic. For example, having multiple sources of DNS queries doesn’t necessarily provide the same ability to troubleshoot issues as a single component does, or (more importantly) to inspect the encrypted traffic leaving the machine. Firefox nicely allows users to export session keys so the traffic can be decrypted locally (and also provides an interface to look at the DNS results), but if an application doesn’t offer this then the user may have no ability to easily see their own DNS traffic. I’ve thought in the past of proposing this as an additional option for the applications (and in future on any OS that implements an encrypted transport) but didn’t follow up.

Sara.

v2.23.0 | Report a Bug | By Email