IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Eric Rescorla <ekr@rtfm.com> Thu, 09 April 2020 13:25 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80D963A0B08 for <dns-privacy@ietfa.amsl.com>; Thu, 9 Apr 2020 06:25:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MiHrdg_ftWqE for <dns-privacy@ietfa.amsl.com>; Thu, 9 Apr 2020 06:25:00 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED1A23A0B04 for <dns-privacy@ietf.org>; Thu, 9 Apr 2020 06:24:59 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id s13so7877660lfb.9 for <dns-privacy@ietf.org>; Thu, 09 Apr 2020 06:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FseaB7HS/EEVt7GQ+m1pkYdZWjhZ4vsdY8vkp2ygB5U=; b=xhvnATpU6kHBkZKynf+DNfSd2gLQPBYMp2EPWWnSnsIu3zdQ1HtwtZMk240M2BQXIe W6mOJyzkOuQ9ghNa4f97UzTpSVSrbh1waiEs9bt5QDjsv0l1BOPeSjaRt61+h9gWUlX0 SlTZoXeODWd3xH0TjE0pZLwMC42DEhuIIuD4Ts3AIt+f8MgUzu6eLrWDbco6EWBOgIh9 7t/zfsr5zraOjdPmCIyH1EoliIu/ptiL6SzWQKOkbDrnNxVmkYOXoQzAJeMikzcMCoUB hsv3CFy601QbSZpJrIjfKHwAx8xsqNo296Hfp5SDgDwZs/fZ3Em3+DOBTQo8Wq5rAqLe lueA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FseaB7HS/EEVt7GQ+m1pkYdZWjhZ4vsdY8vkp2ygB5U=; b=hcHuwIvyaRFdbw8aIt7Ki08MjDyCmCcMYl89NsBex+P37daXCbhHXb0BL7/CZBho8x ND0OHU/Oidu3BEz8xeAdia9CFVnj/k7PVbJdUzfdEL4edVpiu2/580wy38pwHLsF/Hbx bUUdS1F5GQPRsrduUVC/G7fJdGpOPSpqbzBwkPBS99ylGpVdL//TRMXCoDacGqWpK+fT IgclrXgD3HMMb4CcFNZwjauIGOjsePprH8xZ6SkuyiKKFjC9s0tyPA/Wdol3yxzB7Byx Exfg1zBWguCZmg+NAaff/VqC7EpX6SmWORgiPtIkEuGMBRx7MwXteoyATVt4BkWnwdEw qWww==
X-Gm-Message-State: AGi0PuaiPcZOSOcgJu37b1DDinh5Q8WwaU4x07cUT0l/ZT440JlyIYAL bdjENs79FjjdMkKBHyVO6+i7IfCDAItEgzGC7mG1Jb6CmsMDTw==
X-Google-Smtp-Source: APiQypKFQECm2ZlfXF3n7MUwb8eWs1jqoJQBcRjVK4ksnplIKSIH6sK8kDgGgJtEvUFriDNUWDzgEHfib/v6C14TrUo=
X-Received: by 2002:a19:6a06:: with SMTP id u6mr7637241lfu.140.1586438698137; Thu, 09 Apr 2020 06:24:58 -0700 (PDT)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com> <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com> <CABcZeBP4CknS=9Y96CqgykChg4H_jrgkaWmHPN4319+nXe=10w@mail.gmail.com> <CAH1iCiobuYitR26Hh0pbYpA_JZoB1a1iMyHJs1FAgW9GtOk56g@mail.gmail.com> <CABcZeBNa-OTEYjnL=+-F=WK3hZiOWmty1S=FC43Fr3CxuCPE_g@mail.gmail.com> <32D26638-2464-4E7B-8869-C65F773EF5F2@sinodun.com> <CABcZeBNnAZ1ttKHdtZMwWZGvWAYn3jZBps+hXOBMHQXgaKPUEA@mail.gmail.com> <00AF0382-CD8B-46F3-9838-50602379FE9F@sinodun.com> <CABcZeBOELM=d0xXgYN+r4cNsRO6=oyQscdwwdSTqypV5gNra0A@mail.gmail.com> <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com> <CABcZeBPVocy593=WJM2k3Ytrwg36qc_1d4VQH3otRM5qyvZwLA@mail.gmail.com> <1388052392.1781.1586274052101@appsuite-gw1.open-xchange.com> <CABcZeBNi2LKvGFcmTM0uC+rFEVm5tgw6Zo1LS_CoO5=Zo0zqSA@mail.gmail.com> <C03AC6C2-9DCB-448A-B906-3062BD616E31@sinodun.com> <CAMOjQcGrWXFpStp=iVbo1jVN3qnen8rC71SyXv6evY2-MgUdxg@mail.gmail.com> <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com>
In-Reply-To: <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 09 Apr 2020 06:24:21 -0700
Message-ID: <CABcZeBPP6J=a=hW6BLcMnKawupa3RjjpYAzgZ317=ryLy39n+A@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: Eric Orth <ericorth@google.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000f817505a2db8b96"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hEqkNZ8xyknMDWOSMuFtS375880>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 13:25:05 -0000

On Thu, Apr 9, 2020 at 4:00 AM Sara Dickinson <sara@sinodun.com> wrote:

>
>
> On 7 Apr 2020, at 17:22, Eric Orth <ericorth@google.com> wrote:
>
> "consistent application-level controls across the device"
>
> Right there is where followers of the misunderstanding will read this text
> incorrectly.  Browsers and other non-malicious applications allowing
> control does not guarantee consistent application control.
>
> On Tue, Apr 7, 2020 at 12:13 PM Sara Dickinson <sara@sinodun.com> wrote:
>
>>
>>
>> On 7 Apr 2020, at 16:47, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>
>>
>> On Tue, Apr 7, 2020 at 8:40 AM Vittorio Bertola <
>> vittorio.bertola@open-xchange.com> wrote:
>>
>>>
>>> Il 07/04/2020 17:23 Eric Rescorla <ekr@rtfm.com> ha scritto:
>>>
>>>
>>>
>>> On Tue, Apr 7, 2020 at 7:38 AM Sara Dickinson < sara@sinodun.com>
>>> wrote:
>>>
>>> The goal of this text is to enumerate for the end user the privacy
>>> considerations of using such an application so I propose this text:
>>>
>>> "For users to have the ability to manage the application-specific DNS
>>> settings in a similar fashion to the OS DNS settings, each application also
>>> needs to expose the default settings to the user, provide a configuration
>>> interface to change them, and support configuration of user specified
>>> resolvers.
>>>
>>> If all of the applications used on a given device also provide a setting
>>> to use the system resolver, then the device can be reverted to a single
>>> point of control for all DNS queries. If not, then (depending on the
>>> application and transport used for DNS queries) users should take note that
>>> they may not be able to inspect all their DNS queries or manage them to set
>>> device wide controls e.g. domain based query re-direction or filtering. “
>>>
>>>
>>> I don't think this addresses my concern, because "revert" implies that
>>> this is somehow the default situation, which, as I said, is not clearly the
>>> case because applications have been doing their own resolution for some
>>> time.
>>>
>>> In the interest of moving forward, i suggest you change the term
>>> "reverted" to "configured" and add at the end "Note that this does not
>>> guarantee controlling malware name resolution as it can simply ignore
>>> whatever the system resolver and any user configuration settings.."
>>>
>>> I don't understand where in the proposed text there was a reference to
>>> malware that prompted further discussion of the effectiveness of using DNS
>>> to counter it. In any case, if we think that we need to discuss this topic
>>> at that point in the draft, one should also note that there also are ways
>>> to prevent malware from reaching a different resolver, though they are less
>>> likely to work once connections are encrypted, etc. But I think that this
>>> would make reaching consensus even harder, so perhaps we could avoid doing
>>> so and just focus on suggestions related to application configuration.
>>>
>>
>> Well, I would be happy to strike this text entirely. However, the text
>> speaks of "control" and if we're going to say that, we should acknowledge
>> that the system DNS is not going to let you control malicious applications
>> because malware can just do its own resolution. As it is, I think the text
>> gives a false impression
>>
>>
>> How about making the last sentence a little more specific instead:
>>
>> If not, then (depending on the application and transport used for DNS
>> queries) users should take note that they may not be able to inspect the
>> DNS queries generated by such applications, or manage them to set
>> consistent application-level controls across the device for e.g. domain
>> based query re-direction or filtering. “
>>
>
> If the feeling is that it is really needed then I would suggest text that
> is consistent with that used in section 3.5.2.1, for example:
>
> “ In addition, if a client device is compromised by a malicious
> application, the attacker can
>   use application-specific DNS resolvers, transport and settings of its
> own choosing.”
>

Sort of. This seems like it still buries the lede.

"Note that if a client device is compromised by a malicious application,
the attacker can use application-specific DNS resolvers, transport and
settings of its own choosing and thus will not be affected by these
controls."


> Sara.
>
>
>
>> Sara.
>>
>>
>> -Ekr
>>
>> --
>>>
>>> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
>>> vittorio.bertola@open-xchange.com
>>> Office @ Via Treviso 12, 10144 Torino, Italy
>>>
>>>
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>>
>
>

v2.23.0 | Report a Bug | By Email