IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Eric Rescorla <ekr@rtfm.com> Tue, 07 April 2020 15:24 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CBD63A0C26 for <dns-privacy@ietfa.amsl.com>; Tue, 7 Apr 2020 08:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tUH7DoLUqnkw for <dns-privacy@ietfa.amsl.com>; Tue, 7 Apr 2020 08:24:03 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03C5F3A0C0D for <dns-privacy@ietf.org>; Tue, 7 Apr 2020 08:24:03 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id k21so4214792ljh.2 for <dns-privacy@ietf.org>; Tue, 07 Apr 2020 08:24:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kRmtypDTWVV/e5BTm90ECs09UGXMIDvmFuNwOjgs3OM=; b=IwirzGdF21eDP8gTxmcjK+V7/Vlc9X2Uouv1XY9+ki6zPKtVT36cLnxvhmRjCpqEx/ 3ZuscNSAwiOmUTCPOSKQDH7RESRYpwuS/voAMQLpW+vFs2SWXPhHwmRd0gpFLfoLccz4 iCfeS/OcK5Suy4+djLFuBGqrfRW0NdxWRm0vSlegtKt/2hewrwd6Tm6q+8cxSKj6O93Z UmtZ4pC5YVakweTdXvpp64a6MbhSwrBXIysHeefx+GTXlfFRYynYH6KXrJo37Bza4jiH 9tGgCV/X4l6AEJsoIAxU2d1YdZeDjQJ/MrYxHzKlsDi/nOPuwJqnFMF/IzxBczG0P87b EmAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kRmtypDTWVV/e5BTm90ECs09UGXMIDvmFuNwOjgs3OM=; b=YjL1v9vlzqMLS6NPMxFS9wnQn98NI0ix9fzoKFRnURCFarizkOxlKBagbWTaveLXCc ZTOx2P+ic1MqXt5gg/yr6lKG39kOMsmkowEI1kmWeIy1my5W5jySpobwDIe+RdrjUcvD tMmduoD8y19UfGJcntGSqB3po8AwMcalTzp5UPaSGCcRVSnKlsE5/GWeyp6aWW3LiD0p hVegUXYeukbq/IhgR265AKAxzT1ibLAejTdMYolY0cEnbfyzNnb/QFloST69jLZ20c5U YkAJRDT6UxHO1rqmaIrNlyeMSLDlVALHdhQPQbdJmgYsCEJYsf8rEfLEiYQ9TrZXRRgZ pRBQ==
X-Gm-Message-State: AGi0Pubyk8LUklHOQHqq/6FP9LEVA4s851AmtcNeHFUHNCSKtsdRTKDp BND0xFUo3g6hjchmY5rg88+4pgDj5oIXIG8TXmcCXw==
X-Google-Smtp-Source: APiQypLkaplbUrtsF5EUDcYgH1g1GS3+p3leCk2lxAqQeqfZXMmW8+kRWaMr015EdGl30vRu3LWSMQMHQRv+erAHUfY=
X-Received: by 2002:a2e:8954:: with SMTP id b20mr1993191ljk.176.1586273041162; Tue, 07 Apr 2020 08:24:01 -0700 (PDT)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com> <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com> <CABcZeBP4CknS=9Y96CqgykChg4H_jrgkaWmHPN4319+nXe=10w@mail.gmail.com> <CAH1iCiobuYitR26Hh0pbYpA_JZoB1a1iMyHJs1FAgW9GtOk56g@mail.gmail.com> <CABcZeBNa-OTEYjnL=+-F=WK3hZiOWmty1S=FC43Fr3CxuCPE_g@mail.gmail.com> <32D26638-2464-4E7B-8869-C65F773EF5F2@sinodun.com> <CABcZeBNnAZ1ttKHdtZMwWZGvWAYn3jZBps+hXOBMHQXgaKPUEA@mail.gmail.com> <00AF0382-CD8B-46F3-9838-50602379FE9F@sinodun.com> <CABcZeBOELM=d0xXgYN+r4cNsRO6=oyQscdwwdSTqypV5gNra0A@mail.gmail.com> <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com>
In-Reply-To: <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 07 Apr 2020 08:23:24 -0700
Message-ID: <CABcZeBPVocy593=WJM2k3Ytrwg36qc_1d4VQH3otRM5qyvZwLA@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000022b5bb05a2b4f922"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/c-fg3LPcU7QPmSJ3zB0f8OUpeaA>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 15:24:05 -0000

On Tue, Apr 7, 2020 at 7:38 AM Sara Dickinson <sara@sinodun.com> wrote:

>
>
> Begin forwarded message:
>
> *From: *Eric Rescorla <ekr@rtfm.com>
> *Subject: **Re: [dns-privacy] Datatracker State Update Notice:
> <draft-ietf-dprive-rfc7626-bis-04.txt>*
> *Date: *9 March 2020 at 15:01:09 GMT
> *To: *Sara Dickinson <sara@sinodun.com>
> *Cc: *Brian Dickson <brian.peter.dickson@gmail.com>, "Eric Vyncke
> (evyncke)" <evyncke@cisco.com>, "dprive-chairs@ietf.org" <
> dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "
> draft-ietf-dprive-rfc7626-bis@ietf.org" <
> draft-ietf-dprive-rfc7626-bis@ietf.org>
>
>
>
> On Mon, Mar 9, 2020 at 3:55 AM Sara Dickinson <sara@sinodun.com> wrote:
>
>
> Reviewing this thread after several weeks I realised we had one final
> comment to still resolve so trimming the reponse to focus on that….
>
> <snip>
>
>
>>>>>
>>>>> The vast majority of users do not change default application-specific
>>>>>> settings and so implicitly accept the application-specific settings for
>>>>>> DNS. As with network resolvers, these resolvers may have strong, medium, or
>>>>>> weak privacy policies depending on the application.  Privacy policies for
>>>>>> these servers may or may not be available and users need to be aware that
>>>>>> privacy guarantees will vary with each application.
>>>>>>
>>>>>> For users to have the ability to inspect and control the
>>>>>> application-specific DNS settings in a similar fashion to the OS DNS
>>>>>> settings, each application must also:
>>>>>>
>>>>>>    o  expose the default settings to the user
>>>>>>
>>>>>>    o  provide configuration options to manually override the default
>>>>>> settings
>>>>>>
>>>>>>    o  provide configuration options to always use the system resolver"
>>>>>>
>>>>>
>>>>> This last point is wrong. The parallel here would be to use the
>>>>> *network provided* resolver, not the system resolver. I would suggest that
>>>>> you be less prescriptive about this and just say "applications will need to
>>>>> provide user-visible options to configure the resolver." I would avoid
>>>>> "must" (even in lower case) because this is a statement of fact, not a
>>>>> normative one.
>>>>>
>>>>
>>>
>>>> No, system resolver is accurate. In addition to not knowing what
>>>> possible resolver is offered by DHCP, the application can't know if DHCP
>>>> (i.e. network provided) is even being used -- the system could be using a
>>>> static choice of resolver, or even other non-DNS resolution services (e.g.
>>>> NIS+).
>>>>
>>>
>>> It turns out that there are at least three options here:
>>>
>>> - Select your own resolver
>>> - Select the resolver *configured into the system* (AIUI this is what
>>> Chrome does).
>>> - Use the system resolver via the conventional API calls.
>>>
>>>
>>> Suggest:
>>>
>>> "For users to have the ability to inspect and control the
>>> application-specific DNS settings in a similar fashion to the OS DNS
>>> settings, each application also needs to:
>>>
>>>    o  expose the default settings to the user
>>>
>>>    o  provide configuration options to manually override the default
>>> settings so that resolution is performed via
>>>           * user specified resolvers
>>>           * the resolvers configured into the system settings
>>>           * the system resolver via conventional API calls
>>>
>>> If all such applications are updated to use the system resolver, as
>>> described in the last bullet point, the device reverts to a single point of
>>> control for all DNS queries."
>>>
>>
>> Hmm.... this seems unduly prescriptive. Perhaps.
>>
>> For users to have the ability to inspect and control the
>> application-specific DNS settings in a similar fashion to the OS DNS
>> settings, each application also needs to expose the default settings
>> to the users and provide a configuration interface to change them.  If
>> this interface includes a setting to use the system resolver, then the
>> device can be reverted to a single point of control for all DNS
>> queries.
>>
>>
>> I think this removes the status quo bias.
>>
>>
>> I’d be OK with removing the sub-second bullet point but I think the other
>> two have specific existing use cases:
>>
>> - ‘change them’ doesn’t explicitly allow for user specified resolvers
>> which all OS’s do
>> - without the option to disable the application-specific resolution a
>> user cannot apply device level controls to their DNS queries (logging,
>> filtering or rules directing different queries to different resolvers) in a
>> way that can be done today.
>>
>
> But this is what I mean by "status quo bias". And in this case, I suspect
> it's not even correct status quo bias because plenty of applications have
> been doing their own name resolution for some time (and of course malware
> will not have settings for this).
>
> As I said before, we should hear from people who implement their own
> resolver….
>
>
> The goal of this text is to enumerate for the end user the privacy
> considerations of using such an application so I propose this text:
>
> "For users to have the ability to manage the application-specific DNS
> settings in a similar fashion to the OS DNS settings, each application also
> needs to expose the default settings to the user, provide a configuration
> interface to change them, and support configuration of user specified
> resolvers.
>
> If all of the applications used on a given device also provide a setting
> to use the system resolver, then the device can be reverted to a single
> point of control for all DNS queries. If not, then (depending on the
> application and transport used for DNS queries) users should take note that
> they may not be able to inspect all their DNS queries or manage them to set
> device wide controls e.g. domain based query re-direction or filtering. “
>

I don't think this addresses my concern, because "revert" implies that this
is somehow the default situation, which, as I said, is not clearly the case
because applications have been doing their own resolution for some time.

In the interest of moving forward, i suggest you change the term "reverted"
to "configured" and add at the end "Note that this does not guarantee
controlling malware name resolution as it can simply ignore whatever the
system resolver and any user configuration settings."


Sara.
>
>
> -Ekr
>
> Sara.
>>
>> That said, I'd like to hear from people
>> who implement their own resolver even for Do53. I know Chrome does
>> this and I believe it's quite common for SIP stacks due to performance
>> concerns with the system resolver.
>>
>> -Ekr
>>
>>

v2.23.0 | Report a Bug | By Email