Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 09 March 2020 21:15 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22CD3A172E; Mon, 9 Mar 2020 14:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7CzgFUEqG9s; Mon, 9 Mar 2020 14:14:58 -0700 (PDT)
Received: from mail-vk1-xa2d.google.com (mail-vk1-xa2d.google.com [IPv6:2607:f8b0:4864:20::a2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64CF3A161E; Mon, 9 Mar 2020 14:14:57 -0700 (PDT)
Received: by mail-vk1-xa2d.google.com with SMTP id k63so836744vka.7; Mon, 09 Mar 2020 14:14:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Idm9GUMYuYu9/B6c6ukYvBrOwM2AE3bTgAwZRTrNB3k=; b=ml9hhMknZeWJlKyhvW1zV1VRB6AqXbKW0Oo3u+sJ7VuJJs9MHuTZKFjih7syMtSut3 rUJt+SnS7F3HHZ5uDc6xraqEnv+JACIiNrmiQByqO06x63+ShaN3fAotqjvnsaB8NpAM OeShaOEAqdNlVVaaIVSJWe/90theWZ1qv/h1LD9MMfy4H2nVJsm9Pq/bpc8h0q1yh539 XntHGbMIW132IJhrn+HFbjjCmKR4lnR6RMOpB8ZxZsdOUj81TI0bzXaEuEGY/liBYZEF 7oGEKJgNjlCGlj7+Ho7QP6qsSYp2QX1GpYju1sExnxYVThBZKI41i8xIH3n27K8wmd2L H7Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Idm9GUMYuYu9/B6c6ukYvBrOwM2AE3bTgAwZRTrNB3k=; b=dnnfdMf5KuIf1gkT9assEqXHlymqxkceeF7t1PeUzdOQSXur5RTLoPBuOy/Rfvt3RA 62nMmciPSRiYmUkaXPJyZ6SYWUVjuM6JzukLKNWnMTEeirubyWRD1Ljoem9TziU6+q5p t3526SB2yH/rCMX5h4YnHIVuckyfqUl5qaMFZ4IhZ1dd6P/LhNgQogG71XFLorbqDUmQ oRzHLLiYxtwsXSgnK6h/dxa3TxcA0PgeXPdcWaojyxZ2ZgdZ433lKPA+6guZNIEUScY/ LO9f9fei9idUkdp3ZPnfnlrr1OjMr37RSMhW1tjeVQrbjJAGSZa/2y4+2FIZo4yFCTrp kYTQ==
X-Gm-Message-State: ANhLgQ2dm8mLV2OkRGoZrhc+x9hgWnJtScK2yX4fxUY5HXNss8j6Abs2 Ja0M7yXUYW7M0NhKrH4oV+4EOtfu9JWQ4yCHQhY=
X-Google-Smtp-Source: ADFU+vu+GE8L+OgrZvkllmm+S5exwDkeQSviALdnjj7sS755dgA1MQXz5q53gNojSXaHxoi6V0K7o0wdNuKLvilEcU8=
X-Received: by 2002:a1f:8c0b:: with SMTP id o11mr1949771vkd.60.1583788496628; Mon, 09 Mar 2020 14:14:56 -0700 (PDT)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com> <503E2696-AB4A-4020-90CC-802D312D23AF@sinodun.com> <CABcZeBOiEu8qO_VHtHc7Fs47Wh0tGDn3ywM5LDZtWoxuHZ_isw@mail.gmail.com> <721AD54C-0324-4400-8492-4AA19A64699D@sinodun.com> <CABcZeBP4CknS=9Y96CqgykChg4H_jrgkaWmHPN4319+nXe=10w@mail.gmail.com> <CAH1iCiobuYitR26Hh0pbYpA_JZoB1a1iMyHJs1FAgW9GtOk56g@mail.gmail.com> <CABcZeBNa-OTEYjnL=+-F=WK3hZiOWmty1S=FC43Fr3CxuCPE_g@mail.gmail.com> <32D26638-2464-4E7B-8869-C65F773EF5F2@sinodun.com> <CABcZeBNnAZ1ttKHdtZMwWZGvWAYn3jZBps+hXOBMHQXgaKPUEA@mail.gmail.com> <00AF0382-CD8B-46F3-9838-50602379FE9F@sinodun.com> <CABcZeBOELM=d0xXgYN+r4cNsRO6=oyQscdwwdSTqypV5gNra0A@mail.gmail.com> <CAH1iCiqJE9YRcM5W2DqbpO26cMWchmCDTS6y_59h1PV1nZ01gQ@mail.gmail.com> <CABcZeBMbonUUyTHzu2G3EKwePvnBDzkR9o5dp_YLMopq1sQ4xg@mail.gmail.com>
In-Reply-To: <CABcZeBMbonUUyTHzu2G3EKwePvnBDzkR9o5dp_YLMopq1sQ4xg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 09 Mar 2020 14:14:45 -0700
Message-ID: <CAH1iCio92f8-FP+ach1ObNdavwh7V6guKXA3qFW6785h27b20g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Sara Dickinson <sara@sinodun.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bdb44905a0727e20"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/kQExcrd7HWKYrnXC9QzDHlg2U7c>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 21:15:02 -0000
On Mon, Mar 9, 2020 at 1:14 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Mon, Mar 9, 2020 at 12:18 PM Brian Dickson < > brian.peter.dickson@gmail.com> wrote: > >> >> >> On Mon, Mar 9, 2020 at 8:01 AM Eric Rescorla <ekr@rtfm.com> wrote: >> >>> >>> >>> On Mon, Mar 9, 2020 at 3:55 AM Sara Dickinson <sara@sinodun.com> wrote: >>> >>>> >>>> >>>> On 6 Mar 2020, at 13:32, Eric Rescorla <ekr@rtfm.com> wrote: >>>> >>>> >>>> >>>> On Mon, Mar 2, 2020 at 7:16 AM Sara Dickinson <sara@sinodun.com> wrote: >>>> >>>>> >>>>> >>>>> On 29 Feb 2020, at 02:03, Eric Rescorla <ekr@rtfm.com> wrote: >>>>> >>>>> >>>>> >>>>> On Fri, Feb 28, 2020 at 4:50 PM Brian Dickson < >>>>> brian.peter.dickson@gmail.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Fri, Feb 28, 2020 at 3:15 PM Eric Rescorla <ekr@rtfm.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Feb 26, 2020 at 6:19 AM Sara Dickinson <sara@sinodun.com> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 23 Jan 2020, at 13:53, Eric Rescorla <ekr@rtfm.com> wrote: >>>>>>>> >>>>>>>> On Thu, Jan 23, 2020 at 5:08 AM Sara Dickinson <sara@sinodun.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 20 Jan 2020, at 22:37, Eric Rescorla <ekr@rtfm.com> wrote: >>>>>>>> >>>>>>>> Review comments attached: >>>>>>>> >>>>>>>> >>>>>>>> COMMENTS >>>>>>>>> S 3.1. >>>>>>>>> > described above, and may not have any confidentiality >>>>>>>>> requirements. >>>>>>>>> > However, the same is not true of a single transaction or a >>>>>>>>> sequence >>>>>>>>> > of transactions; that transaction is not / should not be >>>>>>>>> public. A >>>>>>>>> > typical example from outside the DNS world is: the web site >>>>>>>>> of >>>>>>>>> > Alcoholics Anonymous is public; the fact that you visit it >>>>>>>>> should not >>>>>>>>> > be. >>>>>>>>> >>>>>>>>> Well, technically what you want to conceal is the origin of the >>>>>>>>> transaction or its linkage to other transactions. The existence of >>>>>>>>> the >>>>>>>>> query for that A record isn't secret. >>>>>>>>> >>>>>>>>> >>>>>>>>> Suggest: >>>>>>>>> >>>>>>>>> “that transaction (and specifically the origin of that >>>>>>>>> transaction) is not / should not be public." >>>>>>>>> >>>>>>>> >>>>>>>> The parenthetical swallows the main sentence. The accurate thing to >>>>>>>> say is: >>>>>>>> >>>>>>>> In general, the existence of a single query is not sensitive -- >>>>>>>> though there may be exceptions >>>>>>>> for some very low use domains. However, the origin of a given query >>>>>>>> may leak information >>>>>>>> about specific users and the ability to link queries reveals >>>>>>>> information about individual use >>>>>>>> patterns. >>>>>>>> >>>>>>>> >>>>>>>> To fit with existing text suggest: >>>>>>>> >>>>>>>> However, the same is not true of a single transaction or a sequence >>>>>>>> of transactions; those transaction are not / should not be public. >>>>>>>> A single >>>>>>>> transactions reveals both the originator of the query and the >>>>>>>> query >>>>>>>> contents which potentially leaks sensitive information about a >>>>>>>> specific user. A >>>>>>>> typical example from outside the DNS world is: the web site of >>>>>>>> Alcoholics Anonymous is public; the fact that you visit it should >>>>>>>> not >>>>>>>> be. >>>>>>>> >>>>>>> >>>>>>> I find this text a bit clumsy, but OK. >>>>>>> >>>>>>> >>>>>>> Furthermore, the ability to link queries reveals information about >>>>>>>> individual use patterns. >>>>>>>> >>>>>>> >>>>>>> The key thing is "link queries as being from the same user” >>>>>>> >>>>>> >>>>> OK - will include that. >>>>> >>>>> >>>>> >>>>>>> >>>>>>>> <snip> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> S 3.4.2. >>>>>>>>> > services available. Given this, the choice of a user to >>>>>>>>> configure a >>>>>>>>> > single resolver (or a fixed set of resolvers) and an >>>>>>>>> encrypted >>>>>>>>> > transport to use in all network environments can actually >>>>>>>>> serve to >>>>>>>>> > identify the user as one that desires privacy and can >>>>>>>>> provide an >>>>>>>>> > added mechanism to track them as they move across network >>>>>>>>> > environments. >>>>>>>>> >>>>>>>>> I don't understand this paragraph. It's not the choice of specific >>>>>>>>> resolvers that leaks data, but the choice to turn on encryption, In >>>>>>>>> fact, from an identification purpose, the more resolvers that >>>>>>>>> support >>>>>>>>> encrypted transport, the better signal this is. >>>>>>>>> >>>>>>>>> >>>>>>>>> This was driven by an observation that many early adopters set up >>>>>>>>> their own DoT server and used that from all their devices, which could act >>>>>>>>> as a way to identify that user. >>>>>>>>> >>>>>>>> >>>>>>>> 1. This seems like an edge case. >>>>>>>> 2. We already have plenty of people running their own unencrypted >>>>>>>> resolvers for other reasons. >>>>>>>> >>>>>>>> >>>>>>>> I can live with removing this text, but it does seem there is >>>>>>>> something to say about the fact configuring a single resolver for a device >>>>>>>> could differentiate a user…. >>>>>>>> >>>>>>> >>>>>>> Sure, but this has nothing to do with DoH or DoT. >>>>>>> >>>>>>> >>>>>> I think the text might be clearer if the bit "as one that desires >>>>>> privacy and" were removed. >>>>>> The issue isn't whether a specific user desires privacy, it is >>>>>> whether a specific user can be identified and tracked. >>>>>> >>>>>> This RFC update, is about privacy. >>>>>> This particular section is on encrypted transport. >>>>>> This paragraph is highlighting that configuring a static list of >>>>>> resolvers, even if those use encrypted transport, may expose the user to >>>>>> privacy risks due to that constant set of resolvers, as the user moves >>>>>> between networks. >>>>>> And this risk is inversely proportional to the number of users of the >>>>>> resolver. >>>>>> Maybe this last bit needs to be added to emphasis why this is a risk? >>>>>> >>>>>> It's about the fact that DoH/DoT don't protect against this or >>>>>> mitigate it, even if the payload is encrypted. I.e. it doesn't not have >>>>>> anything to do with DoH/DoT; it's bigger than DoH/DoT, and DoH/DoT don't >>>>>> fix the problem. >>>>>> >>>>> >>>>> Yes, I agree with that, but this risk is generic to DNS even if you >>>>> use your own resolver (e.g., pihole) which we know people do. Therefore it >>>>> does not belong in this section as a risk of DoH/DoT.. >>>>> >>>>> >>>>> I think the more general case is alluded to in the forth bullet point >>>>> of section 3.4.1 without being called out specifically…. >>>>> >>>>> One option would be update the first sentence of that bullet point to >>>>> say “The recursive resolver can be a public DNS service (or a privately run >>>>> DNS resolver hosted on the public internet).” and to add the following >>>>> sentence to the end of the bullet point >>>>> >>>>> “It can be noted that the choice of a user to configure a single >>>>> resolver (even when using an encrypted transport) can actually serve to aid >>>>> tracking of that user as they move across network environments." >>>>> >>>>> Then remove the fifth paragraph from section 3.4.2? >>>>> >>>> >>>> This seems close. >>>> >>>> "It can be noted that if the user selects a single infrequently used >>>> resolver (even when using an encrypted transport) it can actually serve to >>>> aid tracking of that user as they move across network environment" >>>> >>>> I think we can agree that using Google Public DNS probably doesn't have >>>> this property. >>>> >>>> >>>> Agreed - I might say ’selects a single resolver with a small client >>>> population (even when….’ just to make clear the infrequent usage relates to >>>> number of clients not query rate :-) >>>> >>>> >>>> >>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> S 3.5.1..1.2. >>>>>>>>> > >>>>>>>>> > o communicate clearly the change in default to users >>>>>>>>> > >>>>>>>>> > o provide configuration options to change the default >>>>>>>>> > >>>>>>>>> > o provide configuration options to always use the system >>>>>>>>> resolver >>>>>>>>> >>>>>>>>> I get that you think this is neutral, but all of this is equally >>>>>>>>> true >>>>>>>>> about dynamic discovery via DHCP, it's just that that's the status >>>>>>>>> quo, so you don't notice it. In this context, this text is >>>>>>>>> tendentious. >>>>>>>>> >>>>>>>>> >>>>>>>>> The first paragraph of section 3.5.1.1 talks about the variability >>>>>>>>> of DNS resolution privacy with network (assuming DHCP). I can add some text >>>>>>>>> there to better explain the status quo if you think it is needed. Suggest: >>>>>>>>> >>>>>>>>> “Typically joining a new network requires some form of user action >>>>>>>>> (e.g physically plugging in a cable or selecting a network in a OS >>>>>>>>> dialogue) and so a user is also implicitly choosing to use the >>>>>>>>> DHCP-provided resolver via this action too." >>>>>>>>> >>>>>>>> >>>>>>>> The user has no idea that such a DHCP resolver even exists. And you >>>>>>>> could say the same thing about the user's choice to install an application >>>>>>>> with its own resolver selection logic. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I can’t think of a mobile or desktop OS that doesn’t allow users >>>>>>>>> to override the DHCP provided DNS settings…. but I could text about that in >>>>>>>>> section 5.1.1. if you really think it is needed? >>>>>>>>> >>>>>>>> >>>>>>>> This isn't about that. AFAICT most major applications also allow >>>>>>>> you to use the system resolver choices. Rather, the issue here is the >>>>>>>> repeated arguments in this discussion (which you implicitly accept above) >>>>>>>> that the current status quo somehow represents user choice whereas an >>>>>>>> application choosing its own resolver does not. And both this text and your >>>>>>>> proposed text implicitly takes a position on that. >>>>>>>> >>>>>>>> >>>>>>>> I think that is reading quite a bit into the text however, to >>>>>>>> reduce any implicit misinterpretation I propose trying to further align the >>>>>>>> two sections… >>>>>>>> >>>>>>>> 1) Replace the first paragraph in section 3.5.1.1 with the >>>>>>>> following: >>>>>>>> >>>>>>>> "Given all the above considerations, the choice of recursive >>>>>>>> resolver has direct privacy considerations for end users. Historically, >>>>>>>> end user devices have used the DHCP-provided local network recursive >>>>>>>> resolver. Because of this, the choice by a user to join a particular >>>>>>>> network (e.g. by physically plugging in a cable or selecting a network in >>>>>>>> a OS dialogue) also determines the default system DNS resolver selection; >>>>>>>> the two are directly coupled in this model. >>>>>>>> >>>>>>>> The vast majority of users do not change their default system DNS >>>>>>>> settings and so implicitly accept the network settings for DNS. The network >>>>>>>> resolvers have therefore historically been the sole destination for all of >>>>>>>> the DNS queries from a device. These resolvers may have strong, medium, or >>>>>>>> weak privacy policies depending on the network. Privacy policies for these >>>>>>>> servers may or may not be available and users need to be aware that privacy >>>>>>>> guarantees will vary with network. >>>>>>>> >>>>>>>> All major OS’s expose the system DNS settings and allow users to >>>>>>>> manually override them if desired.” >>>>>>>> >>>>>>>> >>>>>>>> 2) And replace the second paragraph of 3.5.1.1.2 with this: >>>>>>>> >>>>>>>> "Such application-specific settings introduce new control points on >>>>>>>> end user devices for DNS resolution settings in addition to the >>>>>>>> historically used system settings discussed in Section 3.5.1.1. They >>>>>>>> therefore alter the DNS privacy considerations for the device by >>>>>>>> introducing additional destinations for DNS queries. >>>>>>>> >>>>>>>> Users will only be aware that a new control point (with new >>>>>>>> defaults) exists if an application clearly communicates this to the user on >>>>>>>> install or upgrade. >>>>>>>> >>>>>>> >>>>>>> This reflects status quo bias. If you want to say this, then you >>>>>>> need to point out that essentially no OS clearly communicates that it is >>>>>>> selecting the DHCP resolver. >>>>>>> >>>>>> >>>>>> IMHO, this is fair, and probably adds a bit of clarity; perhaps some >>>>>> wordsmithing on the start of 3.5.1.1 would benefit both this and other >>>>>> subsections of 3.5.1.1. >>>>>> Suggestion: >>>>>> >>>>>> Old: "Historically, end user devices have used the DHCP-provided >>>>>> local network recursive resolver, which may have strong, medium, or >>>>>> weak privacy policies depending on the network." >>>>>> >>>>>> New: "Historically, end user devices have used the OS-selected >>>>>> recursive resolver, whose identity is not exposed or discoverable. >>>>>> The OS may have been configured with a static set of resolvers, or may use >>>>>> a DHCP-provided local network resolver. This OS-selected resolver may have >>>>>> strong, medium, or weak privacy policies, which for DHCP provided resolvers >>>>>> may depend on the network." >>>>>> >>>>>> The gist of this is, over-riding the default has effects that the >>>>>> application cannot know, because the OS resolver choice is generally not >>>>>> known, and by extension, the privacy policies cannot be known. >>>>>> >>>>> >>>>> I don't believe this is accurate. In general there are (not that >>>>> portable) mechanisms for determining the DNS configuration, as is done in >>>>> Chromium: >>>>> >>>>> https://cs.chromium.org/chromium/src/net/dns/?sq=package:chromium&dr=CSs&g=0 >>>>> >>>>> >>>>> I’m fine with Ekr’s original suggestion by replacing the last sentence >>>>> in the first paragraph with the following: >>>>> >>>>> "The choice by a user to join a particular network (e.g. by >>>>> physically plugging in a cable or selecting a network in a OS dialogue) >>>>> typically updates a number of system resources - these can include IP >>>>> addresses, availability of IPv4/IPv6, DHCP server, and DNS resolver. These >>>>> individual changes, including the change in DNS resolver, are not normally >>>>> communicated directly to the user by the OS when the network is joined. The >>>>> choice of network has historically determined the default system >>>>> DNS resolver selection; the two are directly coupled in this model. >>>>> >>>> >>>> WFM. >>>> >>>> >>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> The vast majority of users do not change default >>>>>>>> application-specific settings and so implicitly accept the >>>>>>>> application-specific settings for DNS. As with network resolvers, these >>>>>>>> resolvers may have strong, medium, or weak privacy policies depending on >>>>>>>> the application. Privacy policies for these servers may or may not be >>>>>>>> available and users need to be aware that privacy guarantees will vary with >>>>>>>> each application. >>>>>>>> >>>>>>>> For users to have the ability to inspect and control the >>>>>>>> application-specific DNS settings in a similar fashion to the OS DNS >>>>>>>> settings, each application must also: >>>>>>>> >>>>>>>> o expose the default settings to the user >>>>>>>> >>>>>>>> o provide configuration options to manually override the >>>>>>>> default settings >>>>>>>> >>>>>>>> o provide configuration options to always use the system >>>>>>>> resolver" >>>>>>>> >>>>>>> >>>>>>> This last point is wrong. The parallel here would be to use the >>>>>>> *network provided* resolver, not the system resolver. I would suggest that >>>>>>> you be less prescriptive about this and just say "applications will need to >>>>>>> provide user-visible options to configure the resolver." I would avoid >>>>>>> "must" (even in lower case) because this is a statement of fact, not a >>>>>>> normative one. >>>>>>> >>>>>> >>>>> >>>>>> No, system resolver is accurate. In addition to not knowing what >>>>>> possible resolver is offered by DHCP, the application can't know if DHCP >>>>>> (i.e. network provided) is even being used -- the system could be using a >>>>>> static choice of resolver, or even other non-DNS resolution services (e.g. >>>>>> NIS+). >>>>>> >>>>> >>>>> It turns out that there are at least three options here: >>>>> >>>>> - Select your own resolver >>>>> - Select the resolver *configured into the system* (AIUI this is what >>>>> Chrome does). >>>>> - Use the system resolver via the conventional API calls. >>>>> >>>>> >>>>> Suggest: >>>>> >>>>> "For users to have the ability to inspect and control the >>>>> application-specific DNS settings in a similar fashion to the OS DNS >>>>> settings, each application also needs to: >>>>> >>>>> o expose the default settings to the user >>>>> >>>>> o provide configuration options to manually override the default >>>>> settings so that resolution is performed via >>>>> * user specified resolvers >>>>> * the resolvers configured into the system settings >>>>> * the system resolver via conventional API calls >>>>> >>>>> If all such applications are updated to use the system resolver, as >>>>> described in the last bullet point, the device reverts to a single point of >>>>> control for all DNS queries." >>>>> >>>> >>>> Hmm.... this seems unduly prescriptive. Perhaps. >>>> >>>> For users to have the ability to inspect and control the >>>> application-specific DNS settings in a similar fashion to the OS DNS >>>> settings, each application also needs to expose the default settings >>>> to the users and provide a configuration interface to change them. If >>>> this interface includes a setting to use the system resolver, then the >>>> device can be reverted to a single point of control for all DNS >>>> queries. >>>> >>>> >>>> I think this removes the status quo bias. >>>> >>>> >>>> I’d be OK with removing the sub-second bullet point but I think the >>>> other two have specific existing use cases: >>>> >>>> - ‘change them’ doesn’t explicitly allow for user specified resolvers >>>> which all OS’s do >>>> - without the option to disable the application-specific resolution a >>>> user cannot apply device level controls to their DNS queries (logging, >>>> filtering or rules directing different queries to different resolvers) in a >>>> way that can be done today. >>>> >>> >>> But this is what I mean by "status quo bias". And in this case, I >>> suspect it's not even correct status quo bias because plenty of >>> applications have been doing their own name resolution for some time (and >>> of course malware will not have settings for this). >>> >> >> I think this argument suffers from lack of supporting examples, as well >> as from ambiguous terminology. >> >> Two specific terms I see as problematic: "applications"; and "name >> resolution". >> >> The examples that should be included to reduce the ambiguity would be >> actual applications, including (a) whether those require administrative >> privileges to install, (b) whether those are end-user applications vs >> system services (such as mail transport agents), and (c) whether/how they >> make changes to resolver choice. >> >> The term "name resolution" could be anything from making calls to >> installed libraries such as "ldns", which expose additional APIs but which >> generally inherit OS resolution, to the "getdns" bindings, to implementing >> full stub resolver functionality. It's not enough to say some do one thing, >> some do another, evaluating the assertion being made means having those >> details for each application that is being offered as an example. >> >> I'm aware of SMTP services that necessarily do their own resolution, in >> order to handle a variety of things (such as MX records, SPF, DMARC, DKIM, >> and even TLSA), but which largely are system-level services who are >> generally configured by administrators, and generally conform to the >> existing environment as far as resolver choice is concerned. >> >> I'm not aware of end-user applications doing any kind of DNS, and I'm >> reasonably confident in saying that a number of platforms, such as Apple >> iOS, do not support applications that do so. >> > > As I said, Chrome does its own name resolution and has for quite some > time, using the resolvers configured into the system and then sending its > own DNS packets. This used to be common practice in SIP softphones, but I > haven't worked on one in quite some time. I'm not sure on what basis you > claim iOS doesn't support this, as that's not my understanding. Can you > provide a citation here? > Sure. From https://developer.apple.com/documentation/networkextension/dns_proxy_provider DNS proxy providers are only supported on supervised iOS devices. (And the latter is described here: https://support.apple.com/guide/apple-configurator-2/supervised-devices-apd9e4f64088/mac ) So basically, the ability to use third party DNS is limited to managed devices, corporate or education. The only other exception is the one done via VPN services, which is a different set of frameworks, IIUC. (That's why 1.1.1.1 is a VPN app rather than just a resolver, I believe.) Brian > > -Ekr > > > >> >> The existence of a handful of services that do DNS resolution, does not >> negate the central argument, that the expectation is that the OS-configured >> resolver being used for DNS is the de facto status quo for end-user systems >> and infrastructure systems. >> >> I also don't understand what the problem of status quo bias actually is, >> could you explain the problem? >> >> Brian >> >> >> >>> >>> As I said before, we should hear from people who implement their own >>> resolver.... >>> >>> -Ekr >>> >>> Sara. >>>> >>>> That said, I'd like to hear from people >>>> who implement their own resolver even for Do53. I know Chrome does >>>> this and I believe it's quite common for SIP stacks due to performance >>>> concerns with the system resolver. >>>> >>>> -Ekr >>>> >>>> >>>> >>>>> Sara. >>>>> >>>>> >>>>> -Ekr >>>>> >>>>> >>>>>> Brian >>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> The point in section 3.5..1.1.2 terms of privacy considerations >>>>>>>>> is that any application that uses an application specific DNS setting >>>>>>>>> introduces another control point on the device for the DNS resolution >>>>>>>>> setting (which with the current offerings is independent of the network >>>>>>>>> used), and if or how that is exposed is entirely up to the application. I >>>>>>>>> suggest adding this text at the start of the second paragraph: >>>>>>>>> >>>>>>>>> "Such application-specific settings introduce new control points >>>>>>>>> on end user devices for DNS resolution settings in addition to the >>>>>>>>> historically used system settings." >>>>>>>>> >>>>>>>> >>>>>>>> Well, I suppose this is true, but it's also true of (for instance) >>>>>>>> allowing the user to set a proxy, which we've done forever. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> S 3.5.1.1.2. >>>>>>>>> > >>>>>>>>> > Application-specific changes to default destinations for >>>>>>>>> users' DNS >>>>>>>>> > queries might increase or decrease user privacy - it is >>>>>>>>> highly >>>>>>>>> > dependent on the network context and the >>>>>>>>> application-specific >>>>>>>>> > default. This is an area of active debate and the IETF is >>>>>>>>> working on >>>>>>>>> > a number of issues related to application-specific DNS >>>>>>>>> settings. >>>>>>>>> >>>>>>>>> This, too, could be said about the current situation. >>>>>>>>> >>>>>>>>> >>>>>>>>> See above. >>>>>>>>> >>>>>>>> >>>>>>>> And my response above.. >>>>>>>> >>>>>>>> -Ekr >>>>>>>> >>>>>>>> >>>>>>>>> Sara. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Jan 20, 2020 at 1:47 PM Eric Vyncke (evyncke) < >>>>>>>>> evyncke@cisco.com> wrote: >>>>>>>>> >>>>>>>>>> Thanks to Sara and Stéphane for the -04 revised I-D. >>>>>>>>>> >>>>>>>>>> After reading the -04, I think that most of the IETF Last Call >>>>>>>>>> comments are addressed (and consensus needs to be balanced -- even for >>>>>>>>>> informational document) and that the document sticks to facts. >>>>>>>>>> >>>>>>>>>> But, as section 3.5.1 ("in the recursive resolvers") raised a lot >>>>>>>>>> of discussions during the first IETF Last Call, and as the authors reacted >>>>>>>>>> to those comments by deep changes in the text, let's have a new IETF Last >>>>>>>>>> Call before proceeding with IESG evaluation. >>>>>>>>>> >>>>>>>>>> Again, thank you to the reviewers and the authors >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> -éric >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 20/01/2020, 22:34, "IETF Secretariat" < >>>>>>>>>> ietf-secretariat-reply@ietf.org> wrote: >>>>>>>>>> >>>>>>>>>> IESG state changed: >>>>>>>>>> >>>>>>>>>> New State: Last Call Requested >>>>>>>>>> >>>>>>>>>> (The previous state was Waiting for AD Go-Ahead::AD Followup) >>>>>>>>>> >>>>>>>>>> The previous last call raised several points. The authors >>>>>>>>>> have worked on those points and this new informational IETF draft has >>>>>>>>>> substantive changes; enough to go trigger a new IETF Last Call. >>>>>>>>>> >>>>>>>>>> -éric >>>>>>>>>> >>>>>>>>>> Datatracker URL: >>>>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-dprive-rfc7626-bis/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> dns-privacy mailing list >>>>>>>>>> dns-privacy@ietf.org >>>>>>>>>> https://www.ietf.org/mailman/listinfo/dns-privacy >>>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>> dns-privacy mailing list >>>>>>>> dns-privacy@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/dns-privacy >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>> dns-privacy mailing list >>>>>>> dns-privacy@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/dns-privacy >>>>>> >>>>>> >>>>
- [dns-privacy] Datatracker State Update Notice: <d… IETF Secretariat
- Re: [dns-privacy] Datatracker State Update Notice… Eric Vyncke (evyncke)
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Stephen Farrell
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Jim Reid
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Tony Finch
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Eric Orth
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Orth
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] [EXT] Re: Datatracker State Upd… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Vyncke (evyncke)
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Christian Huitema
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Stephane Bortzmeyer
- Re: [dns-privacy] Datatracker State Update Notice… Stephane Bortzmeyer
- Re: [dns-privacy] Datatracker State Update Notice… Ben Schwartz
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… S Moonesamy
- Re: [dns-privacy] Datatracker State Update Notice… Andrew Campling
- Re: [dns-privacy] Datatracker State Update Notice… Andrew Campling
- Re: [dns-privacy] Datatracker State Update Notice… Christian Huitema
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Rob Sayre