IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Sara Dickinson <sara@sinodun.com> Wed, 26 February 2020 14:19 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF2383A0797; Wed, 26 Feb 2020 06:19:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vReJa_K1Hm9O; Wed, 26 Feb 2020 06:19:11 -0800 (PST)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 241A43A07A6; Wed, 26 Feb 2020 06:19:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=r7W9VckeGS33LtEvRkpn2qGKtsRukMBfI46bNWWZTdw=; b=kJXKI8U1TeFnOB7jlrlxpXc1FL jLC+62UIx0IuKpGP7MUxzFOXnisuwE9NC0HKGjHI0P6mV8+ZDCHr+feO8YmGtQ0PQODXba6ZW6Bwp BJDfPRmx+7EalFjHfmaGbkiAvdY2NwnyrHtNpDuUeYDsSEbIh5XBhM0nOCnu4I1xd3yHIOEG4xLUd bMmcmmAjfRNm1e6A8HLjIhyLoof+u+4D+SfOqHkhhBwxsvPaMpS0P2P5gHiWlXfPj5P/IJS/TB9Mq VKsFzMmpoBRgQD47RqdlkQjE5CWT0ypdGOr54JeJ6+uvfojkyHLt2GSVda38CB37GS6It0jIA6XT8 2PiERvdg==;
Received: from [62.232.251.194] (port=21124 helo=[172.27.240.3]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1j6xWd-0000hY-I1; Wed, 26 Feb 2020 14:19:03 +0000
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D8A60E5B-4F51-442E-96C7-D0F30470978B"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 26 Feb 2020 14:18:48 +0000
In-Reply-To: <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/VJIbKuh5z2qy8WJ67-GcOe5WSck>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 14:19:18 -0000


> On 23 Jan 2020, at 13:53, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> On Thu, Jan 23, 2020 at 5:08 AM Sara Dickinson <sara@sinodun.com> wrote:
> 
>> 
>> 
>> On 20 Jan 2020, at 22:37, Eric Rescorla <ekr@rtfm.com> wrote:
>> 
>> Review comments attached:
>> 
>> 
>> COMMENTS
>> S 3.1.
>> >      described above, and may not have any confidentiality requirements.
>> >      However, the same is not true of a single transaction or a sequence
>> >      of transactions; that transaction is not / should not be public.  A
>> >      typical example from outside the DNS world is: the web site of
>> >      Alcoholics Anonymous is public; the fact that you visit it should not
>> >      be.
>> 
>> Well, technically what you want to conceal is the origin of the
>> transaction or its linkage to other transactions. The existence of the
>> query for that A record isn't secret.
> 
> Suggest:
> 
> “that transaction (and specifically the origin of that transaction) is not / should not be public."
> 
> The parenthetical swallows the main sentence. The accurate thing to say is:
> 
> In general, the existence of a single query is not sensitive -- though there may be exceptions
> for some very low use domains. However, the origin of a given query may leak information
> about specific users and the ability to link queries reveals information about individual use
> patterns.

To fit with existing text suggest:

 However, the same is not true of a single transaction or a sequence
 of transactions; those transaction are not / should not be public. A single 
 transactions reveals both the originator of the query and the query 
 contents which potentially leaks sensitive information about a specific user. A
 typical example from outside the DNS world is: the web site of
 Alcoholics Anonymous is public; the fact that you visit it should not
 be.  Furthermore, the ability to link queries reveals information about individual use patterns. 

<snip>

> 
> 
>> 
>> 
>> 
>> 
>> S 3.4.2.
>> >      services available.  Given this, the choice of a user to configure a
>> >      single resolver (or a fixed set of resolvers) and an encrypted
>> >      transport to use in all network environments can actually serve to
>> >      identify the user as one that desires privacy and can provide an
>> >      added mechanism to track them as they move across network
>> >      environments.
>> 
>> I don't understand this paragraph. It's not the choice of specific
>> resolvers that leaks data, but the choice to turn on encryption, In
>> fact, from an identification purpose, the more resolvers that support
>> encrypted transport, the better signal this is.
> 
> This was driven by an observation that many early adopters set up their own DoT server and used that from all their devices, which could act as a way to identify that user. 
> 
> 1. This seems like an edge case.
> 2. We already have plenty of people running their own unencrypted resolvers for other reasons.

I can live with removing this text, but it does seem there is something to say about the fact configuring a single resolver for a device could differentiate a user….

> 
>> 
>> 
>> S 3.5.1..1.2.
>> >   
>> >      o  communicate clearly the change in default to users
>> >   
>> >      o  provide configuration options to change the default
>> >   
>> >      o  provide configuration options to always use the system resolver
>> 
>> I get that you think this is neutral, but all of this is equally true
>> about dynamic discovery via DHCP, it's just that that's the status
>> quo, so you don't notice it. In this context, this text is tendentious.
> 
> The first paragraph of section 3.5.1.1 talks about the variability of DNS resolution privacy with network (assuming DHCP). I can add some text there to better explain the status quo if you think it is needed. Suggest:
> 
> “Typically joining a new network requires some form of user action (e.g physically plugging in a cable or selecting a network in a OS dialogue) and so a user is also implicitly choosing to use the DHCP-provided resolver via this action too."
> 
> The user has no idea that such a DHCP resolver even exists. And you could say the same thing about the user's choice to install an application with its own resolver selection logic.
> 
> 
> I can’t think of a mobile or desktop OS that doesn’t allow users to override the DHCP provided DNS settings…. but I could text about that in section 5.1.1. if you really think it is needed?
> 
> This isn't about that. AFAICT most major applications also allow you to use the system resolver choices. Rather, the issue here is the repeated arguments in this discussion (which you implicitly accept above) that the current status quo somehow represents user choice whereas an application choosing its own resolver does not. And both this text and your proposed text implicitly takes a position on that.

I think that is reading quite a bit into the text however, to reduce any implicit misinterpretation I propose trying to further align the two sections… 

1) Replace the first paragraph in section 3.5.1.1 with the following:

"Given all the above considerations, the choice of recursive resolver has direct privacy considerations for end users.  Historically, end user devices have used the DHCP-provided local network recursive resolver. Because of this, the choice by a user to join a particular network  (e.g. by physically plugging in a cable or selecting a network in a OS dialogue) also determines the default system DNS resolver selection; the two are directly coupled in this model.

The vast majority of users do not change their default system DNS settings and so implicitly accept the network settings for DNS. The network resolvers have therefore historically been the sole destination for all of the DNS queries from a device. These resolvers may have strong, medium, or weak privacy policies depending on the network.  Privacy policies for these servers may or may not be available and users need to be aware that privacy guarantees will vary with network.

All major OS’s expose the system DNS settings and allow users to manually override them if desired.”


2) And replace the second paragraph of 3.5.1.1.2  with this:

"Such application-specific settings introduce new control points on end user devices for DNS resolution settings in addition to the historically used system settings discussed in Section 3.5.1.1. They therefore alter the DNS privacy considerations for the device by introducing additional destinations for DNS queries. 

Users will only be aware that a new control point (with new defaults) exists if an application clearly communicates this to the user on install or upgrade. 

The vast majority of users do not change default application-specific settings and so implicitly accept the application-specific settings for DNS. As with network resolvers, these resolvers may have strong, medium, or weak privacy policies depending on the application.  Privacy policies for these servers may or may not be available and users need to be aware that privacy guarantees will vary with each application. 

For users to have the ability to inspect and control the application-specific DNS settings in a similar fashion to the OS DNS settings, each application must also:

   o  expose the default settings to the user

   o  provide configuration options to manually override the default settings

   o  provide configuration options to always use the system resolver"


> 
> 
> The point in section 3.5.1.1.2  terms of privacy considerations is that any application that uses an application specific DNS setting introduces another control point on the device for the DNS resolution setting (which with the current offerings is independent of the network used), and if or how that is exposed is entirely up to the application. I suggest adding this text at the start of the second paragraph:
> 
> "Such application-specific settings introduce new control points on end user devices for DNS resolution settings in addition to the historically used system settings."
> 
> Well, I suppose this is true, but it's also true of (for instance) allowing the user to set a proxy, which we've done forever.
> 
>> 
>> 
>> S 3.5.1.1.2.
>> >   
>> >      Application-specific changes to default destinations for users' DNS
>> >      queries might increase or decrease user privacy - it is highly
>> >      dependent on the network context and the application-specific
>> >      default.  This is an area of active debate and the IETF is working on
>> >      a number of issues related to application-specific DNS settings.
>> 
>> This, too, could be said about the current situation.
> 
> See above. 
> 
> And my response above.
> 
> -Ekr
> 
> 
> Sara. 
> 
>> 
>> On Mon, Jan 20, 2020 at 1:47 PM Eric Vyncke (evyncke) <evyncke@cisco.com <mailto:evyncke@cisco.com>> wrote:
>> Thanks to Sara and Stéphane for the -04 revised I-D. 
>> 
>> After reading the -04, I think that most of the IETF Last Call comments are addressed (and consensus needs to be balanced -- even for informational document) and that the document sticks to facts.
>> 
>> But, as section 3.5.1 ("in the recursive resolvers") raised a lot of discussions during the first IETF Last Call, and as the authors reacted to those comments by deep changes in the text, let's have a new IETF Last Call before proceeding with IESG evaluation.
>> 
>> Again, thank you to the reviewers and the authors
>> 
>> Regards,
>> 
>> -éric
>> 
>> 
>> On 20/01/2020, 22:34, "IETF Secretariat" <ietf-secretariat-reply@ietf.org <mailto:ietf-secretariat-reply@ietf.org>> wrote:
>> 
>>     IESG state changed:
>> 
>>     New State: Last Call Requested
>> 
>>     (The previous state was Waiting for AD Go-Ahead::AD Followup)
>> 
>>     The previous last call raised several points. The authors have worked on those points and this new informational IETF draft has substantive changes; enough to go trigger a new IETF Last Call.
>> 
>>     -éric
>> 
>>     Datatracker URL: https://datatracker.ietf.org/doc/draft-ietf-dprive-rfc7626-bis/ <https://datatracker.ietf.org/doc/draft-ietf-dprive-rfc7626-bis/>
>> 
>> 
>> 
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dns-privacy <https://www.ietf.org/mailman/listinfo/dns-privacy>
>> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
> https://www.ietf.org/mailman/listinfo/dns-privacy <https://www.ietf.org/mailman/listinfo/dns-privacy>

v2.23.0 | Report a Bug | By Email