IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Sara Dickinson <sara@sinodun.com> Mon, 11 May 2020 14:27 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D21383A0B70; Mon, 11 May 2020 07:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZCv6_Z30OX9; Mon, 11 May 2020 07:27:13 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C04EA3A0B6C; Mon, 11 May 2020 07:27:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=jIB77iOYWUtFZVFFDR9ZE536AKUke7qRcSdXSNWzL7U=; b=YmBl8aGsigKe4Dl8pWa2NGb5Wn ZY1aTX7Gc1+3OMXI4QCRYjnRyHf+z1EEicFQBUDOTeFDSbQAXKYrtsQz0LiDRk4TDZUjjftWBvTuv VT9kv03J2LU49W1VKShxCqNpeWx74/MNeVzLkJ/2RX4QcydIC69R2WaiKOkLPRLaps5mUxFy0cvTR QTD73F6U/9DA7PKT+ch7VK2QaLk1cE+Ps9ep9nIS/aI27ag9lkX7RWKuip1/IZvF2M7t+Zxg/cbus 1MJL2ZOXcXIGad4RPx7ohexVE60zAl3azSYUn8LRAkvrpTtNy57OGrTjbwQ0iypPX7V7V1/zadCtB XU6Qwy9g==;
Received: from [62.232.251.194] (port=14432 helo=[172.27.240.4]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1jY9Od-0001vW-Mw; Mon, 11 May 2020 15:27:07 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <8AB227E2-F968-47C4-9EB6-40A988263892@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_918A914E-54A3-4E83-AD09-68344BF1C5FF"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Mon, 11 May 2020 15:27:04 +0100
In-Reply-To: <CABcZeBPGAgqSPKWXKaL6kK5CYzgK+RmwFrMwhc6ED7aGnV_ayA@mail.gmail.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com> <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com> <CABcZeBP4CknS=9Y96CqgykChg4H_jrgkaWmHPN4319+nXe=10w@mail.gmail.com> <CAH1iCiobuYitR26Hh0pbYpA_JZoB1a1iMyHJs1FAgW9GtOk56g@mail.gmail.com> <CABcZeBNa-OTEYjnL=+-F=WK3hZiOWmty1S=FC43Fr3CxuCPE_g@mail.gmail.com> <32D26638-2464-4E7B-8869-C65F773EF5F2@sinodun.com> <CABcZeBNnAZ1ttKHdtZMwWZGvWAYn3jZBps+hXOBMHQXgaKPUEA@mail.gmail.com> <00AF0382-CD8B-46F3-9838-50602379FE9F@sinodun.com> <CABcZeBOELM=d0xXgYN+r4cNsRO6=oyQscdwwdSTqypV5gNra0A@mail.gmail.com> <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com> <CABcZeBPVocy593=WJM2k3Ytrwg36qc_1d4VQH3otRM5qyvZwLA@mail.gmail.com> <1388052392.1781.1586274052101@appsuite-gw1.open-xchange.com> <CABcZeBNi2LKvGFcmTM0uC+rFEVm5tgw6Zo1LS_CoO5=Zo0zqSA@mail.gmail.com> <C03AC6C2-9DCB-448A-B906-3062BD616E31@sinodun.com> <CAMOjQcGrWXFpStp=iVbo1jVN3qnen8rC71SyXv6evY2-MgUdxg@mail.gmail.com> <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com> <CABcZeBPP6J=a=hW6BLcMnKawupa3RjjpYAzgZ317=ryLy39n+A@mail.gmail.com> <8CEFE3CB-A88C-4BBC-95B8-9850142DB5EE@sinodun.com> <CABcZeBPF41eq-HYXdYScx7bqYyUO7-oH6zWKqj7Ka23u8x_E4A@mail.gmail.com> <ACA9854E-00B7-4776-A850-E5069C672121@cisco.com> <CABcZeBOxN7iNTLFUw7JDc4ZGH_u4awys3g52de29CuOyQv2JUQ@mail.gmail.com> <C8B168D0-F719-405F-892F-14573A7C568D@sinodun.com> <CABcZeBPGAgqSPKWXKaL6kK5CYzgK+RmwFrMwhc6ED7aGnV_ayA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/etptcA-V7visJtsIZb3AusEt2Js>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 14:27:43 -0000


> On 11 May 2020, at 13:56, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Mon, May 11, 2020 at 5:34 AM Sara Dickinson <sara@sinodun.com <mailto:sara@sinodun.com>> wrote:
> 
> 
> > On 7 May 2020, at 17:41, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> > 
> > Extensively trimming:
> > 
> > To be honest, this thread has gotten so long that I've lost
> > track of the various changes being proposed, so here's
> > my comments on the text as a whole.
> > 
> 
> To be honest, I really thought we had pretty much converged on some text that had consensus for this section...
> 
> As I said at the beginning, i think it's generally problematic, for the reasons below, but as you insist on keeping it, I'm giving it a close read, and in that context, this framing is problematic.
> 
> 
> > > "An increasing number of applications are offering
> > > application-specific encrypted DNS resolution settings, rather than
> > > defaulting to using only the system resolver.  A variety of heuristics
> > > and resolvers are available in different applications including
> > > hard-coded lists of recognized DoH/DoT servers.
> > 
> > As I said earlier, I think this text is highly misleading.
> > There are at least two major loci of filtering via DNS:
> > 
> > 1. In the operating system itself via the system resolver
> >    or hooks into that resolver.
> > 
> > 2. In the network via (a) the selected resolver or (b) on-path
> >    filtering of the traffic to/from that resolver.
> > 
> > There are least three major application resolution technologies that
> > render one or more of these techniques ineffective:
> > 
> > 1. Using an application-level resolver which uses the system settings
> >    [what Chrome currently does] bypasses (1)
> > 
> > 2. Using an application-level resolver which uses DoH/DoT to the
> >    system configured resolver [what Edge and Chrome are experimenting
> >    with] bypasses (1) and maybe 2(b) if the network config gets out of
> >    sync (i.e., you don't want your system configured resolver to do
> >    DoH/DoT if you use network-level filtering, but it's easy to see
> >    how this can happen if (for instance) you just offer the the user
> >    the ISP resolver and they start supporting DoH/DoT
> > 
> > 3. Using an application-level resolver which uses DoH/DoT to
> >    an application-selected resolver [as in the Firefox TRR
> >    system] bypasses all of these.
> > 
> > The key point is that a lot of filtering is broken by reasons
> > that have nothing to do with encrypted transport, and so
> > this text is misleading.
> 
> Somewhat confused here.. the text you quote above does not mention filtering at all, was added in version -04 published in January and wasn’t referenced at all in your first review of -04. Are you now saying you want this specific text reworked?
> 
> The problem isn't this text specifically, it's that it's used in context for a section talking about how DoH and DoT interfere with filtering, but, as detailed above, that's only part of the story.
>  
> > > For users to have the ability to manage the DNS resolver settings for
> > > each individual application in a similar fashion to the OS DNS
> > > settings, each application would need to expose the default settings
> > > to the user, provide a configuration interface to change them, and
> > > support configuration of user specified resolvers.
> > 
> > This seems sort of true, though of course in some systems (I don't
> > know how common this is in the world of mostly single-user computers)
> > users actually can't change the system resolver settings.
> 
> We previously agreed text in section 6.1.1 that says both:
> 
> “ All major OS's expose the system DNS settings and allow users to
>    manually override them if desired."
> 
> Yes, this is true as well. 
> 
> “The vast majority of users do not change their default system DNS
>    settings and so implicitly accept the network settings for DNS."
> 
> Yes, I think this is true. 
> 
> 
> Getting into user specific authorisations around this isn’t something that has been proposed in any comment before and I’m not sure how useful it is at this point?
> 
> Well, the issue is that this text is being used to contrast application-specific settings to OS ones, so I'm not sure how not to get into it. 

Suggest modify the text about the OS settings to:

“ All major OS's expose the system DNS settings and allow users to manually override them if desired (on some systems this might be limited to only those users who have administrator rights.)”

And update the first and second paragraphs of this section to the following:

“An increasing number of applications are offering application-specific DNS resolution settings, rather than
defaulting to using only the system resolver. It should be noted that the privileges required to install such an application vary and so it may be possible to bypass administrator level controls on OS DNS resolver settings via this route. Many such applications offer encrypted transports - for these applications a variety of heuristics and resolvers are available including hard-coded lists of recognized DoH/DoT servers."

In order for users that are able to update their OS DNS resolver settings to have the ability to manage the DNS resolver settings for
each individual application in a similar fashion, each application would need to expose the default settings
to the user, provide a configuration interface to change them, and
support configuration of user specified resolvers."

> 
>  
> > > The system resolver resolution path is sometimes used to configure
> > > additional DNS controls e.g. query logging, domain based query
> > > re-direction or filtering.
> > 
> > This conflates the network and in-OS filtering discussed above,
> > which I really think needs expansion.
> 
> Suggest:
> 
> “The system resolver resolution path is sometimes used to configure additional device based DNS controls (distinct from any controls implemented at the network level) e.g. local query logging, domain based query re-direction or filtering."
> 
> Well, I agree with this parenthetical, but then it just reinforces my point that this not being about *encrypted* DNS but rather about application-specific DNS, because this text then becomes about method (1) and therefore implicates any application-level resolver, encrypted or not.

Above text changes should address this problem…? 

Sara.

v2.23.0 | Report a Bug | By Email