Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Christian Huitema <huitema@huitema.net> Sun, 24 May 2020 18:17 UTC

To: Paul Wouters <paul@nohats.ca>, Peter van Dijk <peter.van.dijk@powerdns.com>
Cc: dns-privacy@ietf.org
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <e052fb45-dff7-72dc-d401-60138422d6b0@huitema.net>
Date: Sun, 24 May 2020 10:59:33 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hqdJU6UyzygMY6SplgaaL7b6NvI>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
Precedence: list

On 5/24/2020 10:43 AM, Paul Wouters wrote:

> Let's assume we can connect to the .ca nameservers securely and
> privately. We query for nohats.ca. If there is no DS, all bets
> are off as the child cannot signal anything to us securely. If
> there is a DS, we also got NS records, and possibly A/AAAA glue.
>
> In the case of getting A/AAAA glue, we can connect using DoT if
> we knew this was an option (eg signaled in the DS record).

Paul,

The privacy risks or gains depend on the "anonymity set", which in this
case means "all the domains served by the DNS server to which the client
is sending the query". Getting the data directly from a TLD server mixes
the query in the anonymity set of that TLD server; getting the data from
an authoritative server mixes the query in the anonymity set of that
authoritative server. Which one is largest depends on circumstances. Is
the anonymity set of .CA larger than that of Route 53, or Dyn DNS?

This brings of course the complex relationship between privacy and
centralization. One one hand, big services provide large anonymity sets.
On the other hand, these big services can track queries to lots of
domains. If the client really wants privacy, then maybe it should use
ToR or some other mixer to hide its IP address, in which case the debate
is moot.

-- Christian Huitema

[dns-privacy] [Fwd: New Version Notification for … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Mikael Abrahamsson
Re: [dns-privacy] [Fwd: New Version Notification … Jeremy Harris
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Ondřej Surý
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Stephen Farrell
Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Shumon Huque
Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
[dns-privacy] re-evaluation of the draft, was Re:… Paul Wouters
Re: [dns-privacy] re-evaluation of the draft, was… Robin Geuze
Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
Re: [dns-privacy] NS names, was re-evaluation of … John Levine
Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
Re: [dns-privacy] re-evaluation of the draft, was… Paul Wouters
Re: [dns-privacy] NS names, was re-evaluation of … Christian Huitema
Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
Re: [dns-privacy] NS names, was re-evaluation of … Paul Wouters
Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
Re: [dns-privacy] NS names, was re-evaluation of … John R Levine
Re: [dns-privacy] NS names, was re-evaluation of … Brian Dickson
Re: [dns-privacy] bootstrapping NS names, was re-… John Levine
Re: [dns-privacy] bootstrapping NS names, was re-… Brian Dickson
Re: [dns-privacy] bootstrapping NS names, was re-… John R Levine