IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Sara Dickinson <sara@sinodun.com> Tue, 28 April 2020 13:51 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5560B3A15D3; Tue, 28 Apr 2020 06:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sinodun.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZirzdd3BCc6; Tue, 28 Apr 2020 06:51:39 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0D813A15BF; Tue, 28 Apr 2020 06:51:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sinodun.com ; s=mythic-beasts-k1; h=To:Date:Subject:From; bh=16V+so52cCcgxsLVPh4VFE7CZRxoqHG7/JYQQEyZpWI=; b=pXDRwQoedaq6Tjg9RwvGyxkLC8 WDqCw/xtVbDCYMP+Z6zgaVZB2kIKqbNuv0ilRagrpMa7nl9GNgdOKhrXF0KlJ/WONfa16wUGwdqIy BcLhkCiGphC5Dn/iNxiupvOAC8bPMYbbZEyCM7XEMSwrXqaw1amyLyUre2TkMtlHQlscyUWaug+HR 5GqahV5Vm6D5/aVtR5FZCchaIumljszH6oSN5hOtkUZSXeWtWM7BH1vTRNKRflkuoWUS0BYjDVBBN DUNYgRZNXES4uAOhwgj6nXXLJaJonXuuBmJWvbEv4ZdhYkDjaBDYinUPuBLZ3aoBGF5IYM8KggQjI cM/qCrWg==;
Received: from [62.232.251.194] (port=11672 helo=[172.27.240.4]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <sara@sinodun.com>) id 1jTQe2-00013o-QX; Tue, 28 Apr 2020 14:51:31 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <49BB8A48-8A7E-45D6-A04E-FE98C2FCD588@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_500105E6-3AD6-4F02-A723-66E483969BA5"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Tue, 28 Apr 2020 14:51:22 +0100
In-Reply-To: <7449D408-1203-40AF-AFA7-68A44B549510@sinodun.com>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Eric Rescorla <ekr@rtfm.com>
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com> <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com> <CABcZeBP4CknS=9Y96CqgykChg4H_jrgkaWmHPN4319+nXe=10w@mail.gmail.com> <CAH1iCiobuYitR26Hh0pbYpA_JZoB1a1iMyHJs1FAgW9GtOk56g@mail.gmail.com> <CABcZeBNa-OTEYjnL=+-F=WK3hZiOWmty1S=FC43Fr3CxuCPE_g@mail.gmail.com> <32D26638-2464-4E7B-8869-C65F773EF5F2@sinodun.com> <CABcZeBNnAZ1ttKHdtZMwWZGvWAYn3jZBps+hXOBMHQXgaKPUEA@mail.gmail.com> <00AF0382-CD8B-46F3-9838-50602379FE9F@sinodun.com> <CABcZeBOELM=d0xXgYN+r4cNsRO6=oyQscdwwdSTqypV5gNra0A@mail.gmail.com> <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com> <CABcZeBPVocy593=WJM2k3Ytrwg36qc_1d4VQH3otRM5qyvZwLA@mail.gmail.com> <1388052392.1781.1586274052101@appsuite-gw1.open-xchange.com> <CABcZeBNi2LKvGFcmTM0uC+rFEVm5tgw6Zo1LS_CoO5=Zo0zqSA@mail.gmail.com> <C03AC6C2-9DCB-448A-B906-3062BD616E31@sinodun.com> <CAMOjQcGrWXFpStp=iVbo1jVN3qnen8rC71SyXv6evY2-MgUdxg@mail.gmail.com> <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com> <CABcZeBPP6J=a=hW6BLcMnKawupa3RjjpYAzgZ317=ryLy39n+A@mail.gmail.com> <8CEFE3CB-A88C-4BBC-95B8-9850142DB5EE@sinodun.com> <CABcZeBPF41eq-HYXdYScx7bqYyUO7-oH6zWKqj7Ka23u8x_E4A@mail.gmail.com> <7449D408-1203-40AF-AFA7-68A44B549510@sinodun.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/iugrfYJowBd0XI_6oP_kE7UxD80>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 13:51:49 -0000

Hi Ekr, 

Could you comment on the latest proposed text below? I believe this is the last comment to resolve from the IETF LC on this draft...

Best regards

Sara. 

> On 20 Apr 2020, at 11:41, Sara Dickinson <sara@sinodun.com> wrote:
> 
> 
> 
>> On 9 Apr 2020, at 15:35, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>> 
>> 
>> On Thu, Apr 9, 2020 at 6:36 AM Sara Dickinson <sara@sinodun.com <mailto:sara@sinodun.com>> wrote:
>> 
>> 
>>> On 9 Apr 2020, at 14:24, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>>> 
>> 
>> <snip>
>> 
>>>> 
>>>> How about making the last sentence a little more specific instead:
>>>> 
>>>> If not, then (depending on the application and transport used for DNS queries) users should take note that they may not be able to inspect the DNS queries generated by such applications, or manage them to set consistent application-level controls across the device for e.g. domain based query re-direction or filtering. “
>>> 
>>> If the feeling is that it is really needed then I would suggest text that is consistent with that used in section 3.5.2.1, for example:
>>> 
>>> “ In addition, if a client device is compromised by a malicious application, the attacker can
>>>   use application-specific DNS resolvers, transport and settings of its own choosing.”
>>> 
>>> Sort of. This seems like it still buries the lede.
>>> 
>>> "Note that if a client device is compromised by a malicious application, the attacker can use application-specific DNS resolvers, transport and settings of its own choosing and thus will not be affected by these controls.”
>> 
>> By 'these controls’ do you mean any controls that the malicious application appears to offer to the user? If so, then does this capture your point: 
>> 
>> "Note that if a client device is compromised by a malicious application, the attacker can use application-specific DNS resolvers, transport and settings of its own choosing regardless of what DNS configuration the malicious application may appear to offer the user (if any).”
>> 
>> No. My point is that the platform level DNS controls that you are trying to use don't work in this case.
> 
> I see the confusion now, the sentence beginning ‘If not,’ was meant to refer to whether (if they didn’t support using the system resolver) individual applications offered per-application settings to inspect/manage the DNS queries e.g. export session keys. To try to rework the text in context:
> 
> "An increasing number of applications are offering application-specific encrypted DNS resolution settings, rather than defaulting to using only the system resolver.  A variety of heuristics and resolvers are available in different applications including hard-coded lists of recognized DoH/DoT servers.
> 
> For users to have the ability to manage the DNS resolver settings for each individual application in a similar fashion to the OS DNS settings, each application would need to expose the default settings to the user, provide a configuration interface to change them, and support configuration of user specified resolvers.  
> 
> The system resolver resolution path is sometimes used to configure additional DNS controls e.g. query logging, domain based query re-direction or filtering. 
> If all of the applications used on a given device can be configured to use the system resolver, such controls need only be configured on the system resolver resolution path. However if applications offer neither the option to use the system resolver nor equivalent application-specific DNS controls then users should take note that for queries generated by such an application they may not be able to
> * directly inspect the DNS queries (e.g. if they are encrypted), or 
> * manage them to set DNS controls across the device which are consistent with the system resolver controls. 
> 
> Note that if a client device is compromised by a malicious application, the attacker can use application-specific DNS resolvers, transport and controls of its own choosing.“
> 
> Sara. 
> 
>> 
>> -Ekr
>> 
>> 
>> Sara. 
>

v2.23.0 | Report a Bug | By Email