IETF Logo Mail Archive

Re: [dns-privacy] Review of draft-ietf-dprive-rfc7626-bis-03 - Section 3.5.1.1 Comments

Rob Sayre <sayrer@gmail.com> Thu, 19 December 2019 04:05 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE465120100; Wed, 18 Dec 2019 20:05:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vTitEAYsowFS; Wed, 18 Dec 2019 20:05:55 -0800 (PST)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C138120018; Wed, 18 Dec 2019 20:05:55 -0800 (PST)
Received: by mail-io1-xd31.google.com with SMTP id r13so4346603ioa.3; Wed, 18 Dec 2019 20:05:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9j+Q+j7cuImt9sdyAVto0yZ0HlXL0sPDwrVF1cq45ew=; b=e74MxcBmwtJCJ1XDx00IDP1e5Kg4904iStx5n1dgwKhRHOwpahIPLgqU61ZU0eTEq2 twW20zxP+l+pxWZydtXZm2zlKfRHhoaHH2OOyRz9mbMHZWXbLRfWVrpJJbJU9FzQNZlk oZdQRV/vI1QAmSNioKijTrBaRV1keZx9fEJzj4fMIDGxnvqYGlGvDeFJh+C9HV0525vD ejM1Aaza2ySrQr+cxcoPW5PnCEafJFsPHeLDrZ68biX3ONrXJPH8n1pEqixZr8CvFuMO pjSXC9654YMBAt7RH/hThK2TJr8DOSKEGjKWPXp2xsg7vERaLtHYbzW/gJGYyXWtPOmf cBqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9j+Q+j7cuImt9sdyAVto0yZ0HlXL0sPDwrVF1cq45ew=; b=sHElwrSVPxerJOJ0SHEbRtdv/P+6UrZyaBxwfI7a5mZFmQ3kqsy7PWpXoGkEY3ffyT 6hSrZGQWNXCeVOOdPPW8g2nxJ+oa5otiVlOcQMD0ThyjjFmVmPejz742eiLMqxFi4v4U HWI2WzILWUSfpDh3Oqkw4AFUceFPx0gwpwQPGHKj4tgSIBTTtFXqq0/unAaIbBNPQZ1M cupxVS2POByhixum4sZ0a4FDhUatHss5IOnNJc1Wbs+ileD1Ek7hph0r8BQcExFUHxFh LkXhj0TYsmZxCHwL+gMBOcCbijzurpGhEJk91lx3gqgQ5ZCcPaZvcvvxPLyFBExk8vau 2qnw==
X-Gm-Message-State: APjAAAX+CMCcS5f5TSLc73zHwXaJWZ954+XM0ZaQ4rTq1ywHAt37jrHV 4+sNnhxA0XDJw+d8nicPriop0lXmlnefeOXf2DTtfuDfcLDrJQ==
X-Google-Smtp-Source: APXvYqwOyp+iXgP0uciEN1qPFY8xZFONhp9b0vmwpFemT0JGInR34nuu6/l8JLIHtfsuOpd4xnbdJe4EVq+aXrPXVT0=
X-Received: by 2002:a6b:fc0c:: with SMTP id r12mr4126012ioh.189.1576728354117; Wed, 18 Dec 2019 20:05:54 -0800 (PST)
MIME-Version: 1.0
References: <4639bd67-6fca-47d1-aaeb-85fcd0394f46@www.fastmail.com> <7E5F804D-535F-4CB3-8F7F-ABD0ED4B833A@sinodun.com> <CABcZeBON0ung2htbaiKWGKJSUsHrPhrcEfJgVDoO3+UYCQZxsg@mail.gmail.com>
In-Reply-To: <CABcZeBON0ung2htbaiKWGKJSUsHrPhrcEfJgVDoO3+UYCQZxsg@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 18 Dec 2019 20:05:42 -0800
Message-ID: <CAChr6SxJ3_KssG7+icH3gg50r0fxxB5PvStbA1EPbDMQSNF9-A@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Sara Dickinson <sara@sinodun.com>, last-call@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="000000000000745f5b059a06ad1b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/BGdJ60rf_fKP4ijL4LdgQrmzDHk>
Subject: Re: [dns-privacy] Review of draft-ietf-dprive-rfc7626-bis-03 - Section 3.5.1.1 Comments
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 04:05:57 -0000

On Wed, Dec 18, 2019 at 6:10 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>> “It has been pointed out that should the trend towards using large public
>> resolvers increase, an increased centralisation of DNS resolution services
>> will result.
>>
>
> Well, it's been pointed out, but it's not at all clear that it's true, due
> to the large amount of centralization of ISPs in certain areas, so no, I
> don't think this document should make this claim.
>

Agree.



> An increasing number of applications are offering application-specific
>> encrypted DNS resolution settings, rather than defaulting to using only the
>> system resolver. Due to a lack of a standardized discovery mechanism for
>> DoH and Strict DoT servers, applications that do so are currently limited
>> to using hard coded lists of resolvers and a variety of heuristics and
>> resolvers are available in different applications. At the time of writing,
>> efforts to provide standardized signalling mechanisms for applications to
>> also discover the services offered by local resolvers are in progress
>> [I-D.ietf-dnsop-resolver-information]. Note that an increasing numbers of
>> ISPs are deploying encrypted DNS, for example see the Encrypted DNS
>> Deployment Initiative [EDDI].
>>
>
> I'm not sure what the point of this text is, but it seems kind of
> confusing. In particular, it's not the case that the primary reason that
> Firefox uses a hardcoded list is because there is no standardized discovery
> mechanism.
>

The text also relates discovery to encryption. That seems odd. Is it the
case that some parties didn't mind which DNS server was used, as long as
the traffic was unencrypted?



>
> Everything after this just seems to pre-empt discussions that are ongoing
> and haven't reached consensus.
>
>
>> Application-specific changes to default destinations for users' DNS
>> queries might increase or decrease user privacy - it is highly dependant on
>> the network context and the application-specific default. This is an area
>> of active debate.
>>
>> In order that users are aware of and can control such changes it is
>> highly desirable that applications
>>
>
Is it "highly desirable", though?


> * communicate clearly the change in default to users
>>
>
Not clearly true, since the status quo is often not clearly communicated.


> * provide configuration options to change the default
>>
>
Doesn't seem like that is always desirable. Some routers and networks don't
offer configuration options, but that doesn't mean they should be obeyed.
It's complicated.


> * provide configuration options to always use the network provided resolver
>>
>
"network provided resolver" is not well-defined.

thanks,
Rob

v2.23.0 | Report a Bug | By Email