IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 05 May 2020 09:10 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 846FD3A03F2; Tue, 5 May 2020 02:10:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=TTIVWeQ6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=O1nfWZWe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjtREJ0DnUKn; Tue, 5 May 2020 02:10:34 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 696963A15EF; Tue, 5 May 2020 02:10:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24061; q=dns/txt; s=iport; t=1588669834; x=1589879434; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ibbQNJdAcI9Rcjciw+hlO1sT3yZ6ZkqYZxH479+Nw5M=; b=TTIVWeQ6onFUGPHl9IgTyA2rLERHbbSOwIynOiOuBSyMZLdzU/ejakuK VKIIMlvnBQ4ckzJGiLBaO/FDwQSDZ53Qx8Yostk3rL0KRW58oXD1Dh8gs ndRtgwDk1dFH08lMn+WpaPlRuRgKVJSuoMSWwFQxHBHei0UvABO14cCUs o=;
X-IPAS-Result: A0AOAgBVLLFe/4YNJK1mGwEBAQEBAQEBBQEBARIBAQEDAwEBAYIHgSUvJC0FblgvKoQjg0YDjSIlmDWBQoEQA1QLAQEBDAEBLQIEAQGERAIXgiAkOBMCAwEBAQMCAwEBAQEFAQEBAgEFBG2FVgyFcQEBAQEDEhEdAQE3AQ8CAQgOAwMBAigDAgICMBQJCAIEAQ0FIoMEAYF+TQMuAad4AoE5iGF2gTKDAAEBBYVLGIIOCYE4gmOIDYE3HRqBQT+BOAwQgk0+hBkBEgFBFoJcM4ItkQ08hhqKbI8JfQqCSJJphS0dglszmhKQF4FYm0QCBAIEBQIOAQEFgWkiNjBwcBVlAYI+UBgNkEI4gzqKVnQ3AgYBBwEBAwl8kUoBAQ
IronPort-PHdr: 9a23:Q7crDBAKw32x7a5jZfcAUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qw01g3TQYverflDjrmev6PhXDkG5pCM+DAHfYdXXhAIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtPBMj7IVbVpy764TsbAB6qMw1zK6z8EZLTiMLi0ee09tXTbgxEiSD7b6l1KUC9rB7asY8dho4xJw==3D
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.73,354,1583193600"; d="scan'208,217";a="461412875"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 May 2020 09:10:33 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 0459AXlE031286 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 5 May 2020 09:10:33 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 5 May 2020 04:10:32 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 5 May 2020 05:10:32 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 5 May 2020 04:10:32 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SeMZhGTlzgdxXZ5B301HTowUnxbTwHnalEPvZaTd6r8KiJgSG38wMjd4aSPIL5/kBpaoTM+l7sPwgdR3BjPI96AXlzqz6ddFFJQvpbyw5lbG5jwikOReRU0Lel3iuE2v57Vb3P54ELRxUuq/mwXnUEv/ok+6KbLEtxKF7bX94t9j322UUnS7xjghYJ06a1QAYacUlSeUKwFT/0Amg6eJ7GZdHLS+H5t/1T/gUmuRpW2p3Ge5fhfG9dL9mz+nEv2GN23uZq+bm7we/lt+t7UYycV+EL7obYuEBwd35xMDm+9fQVFoH/NHcQMO/uSJcXcYKyeNNIGdiiHQ+WTJnyWm8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ibbQNJdAcI9Rcjciw+hlO1sT3yZ6ZkqYZxH479+Nw5M=; b=PwkqDDm5WEL0AXxzIstFrsD8TBh5zwCQZDXRCxUtxCdrTc9e+I3JCeIRe+j+zsNq8yXXSfIg9LMuLZdag4+MRYOWyux5cP8DEIk6m0uiJBJb/KCokcUDkCY/KV1LFQ8Zo++Ki9bCH4xvacHFM5nRW51XfHG+csrMaxWbMNipT4DljDmO46Z8Cj64SSsBbCEr3nezlRJgTGFPtgso+1o2/ET62rpEEQDM/xdcz5c/Pjp+LHc5aDHjkS3E4Y3OAxQhe5cArFXErVBjt4cEMaAH6gqrmgJAWtpt8bGPKGaFvT98GlhSDS1b27ZpNVC3Fvhx3xeptKHxbZBmFNXv96m5Bg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ibbQNJdAcI9Rcjciw+hlO1sT3yZ6ZkqYZxH479+Nw5M=; b=O1nfWZWeaV9bp2KLdpC+dadt6OJDOADHDbdYcr/O9tzGZECKWdQkxtoDV223qo5U+6QQx6y6swxP0EfkhNmPHU0rwUF6JxgOyZIRm2cumNkQuwVVrm88TxiVfI6nQiWybwUZlpHUsVB9XrWtLRoUXfwtLVfdP5V/pGRkIxluQRk=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB1977.namprd11.prod.outlook.com (2603:10b6:3:108::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.20; Tue, 5 May 2020 09:10:30 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::7458:f0d0:22b2:6b0c]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::7458:f0d0:22b2:6b0c%9]) with mapi id 15.20.2958.029; Tue, 5 May 2020 09:10:30 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Eric Rescorla <ekr@rtfm.com>, Sara Dickinson <sara@sinodun.com>
CC: Eric Orth <ericorth@google.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>
Thread-Topic: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
Thread-Index: AQHVz9l2IkHylwdJHkyHgVgzxDbed6f0JtOAgD1P+jCAAB3UAIAAFJEAgAouqRKAMlzghoAADIYAgAAE4YCAAAH7gIAABvGAgAACzYCAAsqFgIAAKEiAgAADWoCAABBmAIAoo3gA
Date: Tue, 05 May 2020 09:10:30 +0000
Message-ID: <ACA9854E-00B7-4776-A850-E5069C672121@cisco.com>
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com> <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com> <CABcZeBP4CknS=9Y96CqgykChg4H_jrgkaWmHPN4319+nXe=10w@mail.gmail.com> <CAH1iCiobuYitR26Hh0pbYpA_JZoB1a1iMyHJs1FAgW9GtOk56g@mail.gmail.com> <CABcZeBNa-OTEYjnL=+-F=WK3hZiOWmty1S=FC43Fr3CxuCPE_g@mail.gmail.com> <32D26638-2464-4E7B-8869-C65F773EF5F2@sinodun.com> <CABcZeBNnAZ1ttKHdtZMwWZGvWAYn3jZBps+hXOBMHQXgaKPUEA@mail.gmail.com> <00AF0382-CD8B-46F3-9838-50602379FE9F@sinodun.com> <CABcZeBOELM=d0xXgYN+r4cNsRO6=oyQscdwwdSTqypV5gNra0A@mail.gmail.com> <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com> <CABcZeBPVocy593=WJM2k3Ytrwg36qc_1d4VQH3otRM5qyvZwLA@mail.gmail.com> <1388052392.1781.1586274052101@appsuite-gw1.open-xchange.com> <CABcZeBNi2LKvGFcmTM0uC+rFEVm5tgw6Zo1LS_CoO5=Zo0zqSA@mail.gmail.com> <C03AC6C2-9DCB-448A-B906-3062BD616E31@sinodun.com> <CAMOjQcGrWXFpStp=iVbo1jVN3qnen8rC71SyXv6evY2-MgUdxg@mail.gmail.com> <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com> <CABcZeBPP6J=a=hW6BLcMnKawupa3RjjpYAzgZ317=ryLy39n+A@mail.gmail.com> <8CEFE3CB-A88C-4BBC-95B8-9850142DB5EE@sinodun.com> <CABcZeBPF41eq-HYXdYScx7bqYyUO7-oH6zWKqj7Ka23u8x_E4A@mail.gmail.com>
In-Reply-To: <CABcZeBPF41eq-HYXdYScx7bqYyUO7-oH6zWKqj7Ka23u8x_E4A@mail.gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:fc70:8c30:9850:c95]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ae8664a2-5d8e-448f-d4de-08d7f0d42910
x-ms-traffictypediagnostic: DM5PR11MB1977:
x-microsoft-antispam-prvs: <DM5PR11MB1977DA2762496712C3F91833A9A70@DM5PR11MB1977.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0394259C80
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qfnbKcCXeu9RODcyPEabU9ZucHAYaFTeCubNtYOBJS4mG6aKaBEwB7ESa9QqC6COliVraNIU4AvFsk5AorZJjlkf+C40VBykuELH84i4j0NkN5cFu2A8Af6dvMf7Xtv+xa4kjlx6LH1Nt6W5hYfdbBeW57GFhRuJ82WqOii5IyUYNE1ZoIfHBM7G/gZbV9tBLVnYPv83Tb3aEbG3bmHveBkOolYhcINuG+mE4eACn1RmdxUQOCpDsYwVQu9VGoVCocTySdOWfKCBTcsGuZkJ+W0JuMXQACyPc/TqagvRUt2Yr9LnbFO+Oyt2jEKRpSiOFxzorJdODjoDdLP8w2Qm+BvXEqkPBshIwFqk2vhLAWoidwiNRZyXUfDKQI84MGZPvWD7Vz43p4/Nlr2juLBYIThiHp5wxi+vkA74kU2Ws8sUhRl/C3e2xnSUzLw5Yn09AzYKb4rwPNON3c0JiCsnqun86uHnvkHSE/AiNBJj8pYVxigZAEN5UxqqCDxaZSvn7vm8x9vbP6RtgronEuqa4w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR11MB1753.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(366004)(346002)(376002)(39860400002)(33430700001)(186003)(2906002)(15650500001)(86362001)(54906003)(64756008)(66446008)(316002)(110136005)(53546011)(478600001)(66556008)(76116006)(66946007)(66476007)(8676002)(8936002)(6506007)(91956017)(33656002)(2616005)(5660300002)(33440700001)(6486002)(6512007)(36756003)(71200400001)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: IfQXdSQhpVI8bi+yiEL1tSKF4ogT5hIDHjm4Urj0ppun/nnCYclGdbVLZvSdPKE549M4QDQt0Ux9Tid1JzeYhn5++/NPuvdtpL7pj1g9D9ug4UKuoQMGT27DNzK7tG0R1mqqB8PfYbZeGlw2jxNFE/RCOLqRoYWDbb+eiN4d/bLSOd+Xx4J747Xk7YrU2HyDhqI9z5RuQ64JigP6IDYfN3q5qQ+WGnQSG91vmmRHKfS6ed/cYX2n5ewe3tXQbyg6WPZJc6K9JPRzkMahFH86PfveEYOH+BZUJO9CT5CYd4pmoS63n1yhIZ/BLUabwbUnX0wCsQg39L9IZSsUd54DGNgzxajxKUD4s6YLEIFDbA5cF7EBC7+vqIgnqKSi9S19tBWjTqBV0MU8P3pIdRmX+67mOBuQpAj4gTH/eeurmb/prMxXHfUOtIxLUb29IfG2NqD76QzM742j//7d0sTU9geIDxfRPCQuDJCxQ3trcsOhn2do1BXR221uqUt0Wxlzj8BDil/3WOLygqQ2y860Tc1xnfkYHVeiLBV7Tv+hiIUs2Z/YnKq1zKHz/B0YHHzUtfA0o86eeVtMluu68ZVhP+WgJ2GsChdG0zmSAqGSochnPZOw1G9THn34INcpMIX9T0lIkLNoI3LgAuB1ALffJPnWywF+10kYt1k+/Xd4VFj79zx9pkfX//5sFps1bn8Cz+ef16GeTmnrmDgh3SHOSoVNmvIMFgU73cJoWmCddnH+P7HdtGVK7kVQlf0FshO4p6ZAKgWSic7gXc2yuDqRC2pTQB/l+bjyKOohfAD4pUdu4tXvS6GT6M5MqyTE/LN9p/ha+oQoQKHE86bSLHSEV5wHr2XaNYVH+bexz3rK9tE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_ACA9854E00B74776A850E5069C672121ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ae8664a2-5d8e-448f-d4de-08d7f0d42910
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2020 09:10:30.7686 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BwbXmMn4QmY1L54Zj3oLkxvYL9EZjke6EApcT5GLBtni0LQy/1VANv8c9i8xrpXuUOtZ4H/f01U8vBs3HiJqOA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1977
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/_enCMo8pAMVE9MGUCrJzsF2-g50>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 09:10:37 -0000

Eric / Ekr,

Sara has posted a revised I-D, does it address the point in your email dated 9th of April ?

She also replied end of April with:

“I see the confusion now, the sentence beginning ‘If not,’ was meant to refer to whether (if they didn’t support using the system resolver) individual applications offered per-application settings to inspect/manage the DNS queries e.g. export session keys. To try to rework the text in context:

"An increasing number of applications are offering application-specific encrypted DNS resolution settings, rather than defaulting to using only the system resolver.  A variety of heuristics and resolvers are available in different applications including hard-coded lists of recognized DoH/DoT servers.

For users to have the ability to manage the DNS resolver settings for each individual application in a similar fashion to the OS DNS settings, each application would need to expose the default settings to the user, provide a configuration interface to change them, and support configuration of user specified resolvers.

The system resolver resolution path is sometimes used to configure additional DNS controls e.g. query logging, domain based query re-direction or filtering.
If all of the applications used on a given device can be configured to use the system resolver, such controls need only be configured on the system resolver resolution path. However if applications offer neither the option to use the system resolver nor equivalent application-specific DNS controls then users should take note that for queries generated by such an application they may not be able to
* directly inspect the DNS queries (e.g. if they are encrypted), or
* manage them to set DNS controls across the device which are consistent with the system resolver controls.

Note that if a client device is compromised by a malicious application, the attacker can use application-specific DNS resolvers, transport and controls of its own choosing. »


Thank you for your prompt reply

-éric V (the other one)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thursday, 9 April 2020 at 16:35
To: Sara Dickinson <sara@sinodun.com>
Cc: Eric Orth <ericorth@google.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, Eric Vyncke <evyncke@cisco.com>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>



On Thu, Apr 9, 2020 at 6:36 AM Sara Dickinson <sara@sinodun.com<mailto:sara@sinodun.com>> wrote:



On 9 Apr 2020, at 14:24, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:


<snip>



How about making the last sentence a little more specific instead:

If not, then (depending on the application and transport used for DNS queries) users should take note that they may not be able to inspect the DNS queries generated by such applications, or manage them to set consistent application-level controls across the device for e.g. domain based query re-direction or filtering. “

If the feeling is that it is really needed then I would suggest text that is consistent with that used in section 3.5.2.1, for example:

“ In addition, if a client device is compromised by a malicious application, the attacker can
  use application-specific DNS resolvers, transport and settings of its own choosing.”

Sort of. This seems like it still buries the lede.

"Note that if a client device is compromised by a malicious application, the attacker can use application-specific DNS resolvers, transport and settings of its own choosing and thus will not be affected by these controls.”

By 'these controls’ do you mean any controls that the malicious application appears to offer to the user? If so, then does this capture your point:

"Note that if a client device is compromised by a malicious application, the attacker can use application-specific DNS resolvers, transport and settings of its own choosing regardless of what DNS configuration the malicious application may appear to offer the user (if any).”

No. My point is that the platform level DNS controls that you are trying to use don't work in this case.

-Ekr


Sara.

v2.23.0 | Report a Bug | By Email