Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
Eric Rescorla <ekr@rtfm.com> Mon, 20 January 2020 23:23 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C322120801 for <dns-privacy@ietfa.amsl.com>; Mon, 20 Jan 2020 15:23:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JpignJllqDj for <dns-privacy@ietfa.amsl.com>; Mon, 20 Jan 2020 15:23:24 -0800 (PST)
Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29D3F12082D for <dns-privacy@ietf.org>; Mon, 20 Jan 2020 15:23:24 -0800 (PST)
Received: by mail-lj1-x242.google.com with SMTP id j1so800410lja.2 for <dns-privacy@ietf.org>; Mon, 20 Jan 2020 15:23:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xbNKX6A25pxQ4/rZ6335JdY3YdmjQO4LF0iFzu3LArY=; b=Vu7IhDsIy842z9ndV44wZk+R+XFW0q5Ff6+gXA15j2Vrjy9s83liTWRvnqqo0rk3xN iqgAMaIwR5V7WqFmB59wnv/fB90pWvRsD0yuFESbP5s14W9ERKan/A9m3ZpkJdKkw2ov //PYApQn/1U5mLh0S7asIkInEc0v/sfueHCBQMyNjvtpSgBO65dVTOGa75KvWfxxxRR2 y48KJH04b20o6NuirM82GZ7KXRHvwmM6Ph5AoGNt9nqN4do/flsh+3C1U7dPO2COqJvf Qrwcd8qQuJS4Udn8kXmo0t4QzkK2BAB/C0JYPvAAMTuBJTeGOKmEG+r5zH4i7unFjoch Njzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xbNKX6A25pxQ4/rZ6335JdY3YdmjQO4LF0iFzu3LArY=; b=JjLiq48oVRYmrhwlGGBLcR3l0XUXkXbFwtStu8xBwN2uO5hWmCs3z8H2HY1VA6wBNb Ct9fBjcXigEhhv2Aag8//E18AnljgseQjEFc2GhWLX6zWAAwcWhinLVmFTz/unzjrTlu wO5lhBgYYrDpfCscn5w/jmjVriAlrxqlADGk3Q53YdY/9+0g9OFYg4IxBXWfpSRzmzhb rvQLZwCDCmRotjM6c6itL4bvdKBELRK38MLvFsKXach4vLxZEIveRIEcN4eax0meoGpf 09l8LKbfMtcvcGSD3rEKSZhKF3o+o/neh3b9qnuui8qw/z5BGSQsamc9EvMaGvThPTsC 5lfQ==
X-Gm-Message-State: APjAAAXzajpb2qyIRHq+dU4W9FkXxhzqkKbzA5yVAXMdlTgG0VQPBLfT ElEyqgBAOXs6CqwJBgdMiHQ+4JEFM4btzJpLV2Zg3A==
X-Google-Smtp-Source: APXvYqzgBW38tJ7seP4h0mC0uDl7V0nTGe2bE4mCzOLltgWBVDBRhzenAfnuijbQ1UbyOTrxK639QO3cnhizn26OrXc=
X-Received: by 2002:a2e:b0e3:: with SMTP id h3mr14414043ljl.56.1579562602330; Mon, 20 Jan 2020 15:23:22 -0800 (PST)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <417BE033-4DE5-452A-BE93-0657C83051BC@cisco.com> <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com>
In-Reply-To: <CABcZeBPK3yAaoai4ccd=hSffk5cAhoSC7gnBNqs36x-xJf=R-Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 20 Jan 2020 15:22:45 -0800
Message-ID: <CABcZeBPnKzEunvbUXv5kkOhdo9zMi=JjLRb6_hAncth6bU+PwA@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, last-call@ietf.org
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d02d55059c9a937e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/lp7Rm4YJ87S6aii8vBrQFgKqeUc>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 23:23:27 -0000
+last-call On Mon, Jan 20, 2020 at 2:37 PM Eric Rescorla <ekr@rtfm.com> wrote: > Review comments attached: > > > COMMENTS > S 3.1. > > described above, and may not have any confidentiality requirements. > > However, the same is not true of a single transaction or a sequence > > of transactions; that transaction is not / should not be public. A > > typical example from outside the DNS world is: the web site of > > Alcoholics Anonymous is public; the fact that you visit it should > not > > be. > > Well, technically what you want to conceal is the origin of the > transaction or its linkage to other transactions. The existence of the > query for that A record isn't secret. > > > > > > S 3.4.2. > > fingerprint [2] values can be used to fingerprint client OS's or > that > > various techniques can be used to de-NAT DNS queries dns-de-nat [3]. > > > > Note that even when using encrypted transports the use of clear text > > transport options to decrease latency can provide correlation of a > > users' connections e.g. using TCP Fast Open [RFC7413] with TLS 1.2. > > Why does this say TLS 1.2? Any use of TFO will have the same > properties. > > Perhaps you are thinking of TLS session tickets here? > > > > > S 3.4.2. > > services available. Given this, the choice of a user to configure a > > single resolver (or a fixed set of resolvers) and an encrypted > > transport to use in all network environments can actually serve to > > identify the user as one that desires privacy and can provide an > > added mechanism to track them as they move across network > > environments. > > I don't understand this paragraph. It's not the choice of specific > resolvers that leaks data, but the choice to turn on encryption, In > fact, from an identification purpose, the more resolvers that support > encrypted transport, the better signal this is. > > > S 3.4.2. > > identify the user as one that desires privacy and can provide an > > added mechanism to track them as they move across network > > environments. > > > > Implementations that support encrypted transports also commonly re- > > use sessions for multiple DNS queries to optimize performance (e.g. > > Note: session is a technical term in TLS that refers to the > association not the connection. I would say "connection" > > > S 3.5.1.1.2. > > > > o communicate clearly the change in default to users > > > > o provide configuration options to change the default > > > > o provide configuration options to always use the system resolver > > I get that you think this is neutral, but all of this is equally true > about dynamic discovery via DHCP, it's just that that's the status > quo, so you don't notice it. In this context, this text is tendentious. > > > S 3.5.1.1.2. > > > > Application-specific changes to default destinations for users' DNS > > queries might increase or decrease user privacy - it is highly > > dependent on the network context and the application-specific > > default. This is an area of active debate and the IETF is working > on > > a number of issues related to application-specific DNS settings. > > This, too, could be said about the current situation. > > On Mon, Jan 20, 2020 at 1:47 PM Eric Vyncke (evyncke) <evyncke@cisco.com> > wrote: > >> Thanks to Sara and Stéphane for the -04 revised I-D. >> >> After reading the -04, I think that most of the IETF Last Call comments >> are addressed (and consensus needs to be balanced -- even for informational >> document) and that the document sticks to facts. >> >> But, as section 3.5.1 ("in the recursive resolvers") raised a lot of >> discussions during the first IETF Last Call, and as the authors reacted to >> those comments by deep changes in the text, let's have a new IETF Last Call >> before proceeding with IESG evaluation. >> >> Again, thank you to the reviewers and the authors >> >> Regards, >> >> -éric >> >> >> On 20/01/2020, 22:34, "IETF Secretariat" < >> ietf-secretariat-reply@ietf.org> wrote: >> >> IESG state changed: >> >> New State: Last Call Requested >> >> (The previous state was Waiting for AD Go-Ahead::AD Followup) >> >> The previous last call raised several points. The authors have worked >> on those points and this new informational IETF draft has substantive >> changes; enough to go trigger a new IETF Last Call. >> >> -éric >> >> Datatracker URL: >> https://datatracker.ietf.org/doc/draft-ietf-dprive-rfc7626-bis/ >> >> >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy >> >
- [dns-privacy] Datatracker State Update Notice: <d… IETF Secretariat
- Re: [dns-privacy] Datatracker State Update Notice… Eric Vyncke (evyncke)
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Stephen Farrell
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Jim Reid
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Tony Finch
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Eric Orth
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Orth
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] [EXT] Re: Datatracker State Upd… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Vyncke (evyncke)
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Eric Rescorla
- Re: [dns-privacy] Datatracker State Update Notice… Sara Dickinson
- Re: [dns-privacy] Datatracker State Update Notice… Christian Huitema
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Stephane Bortzmeyer
- Re: [dns-privacy] Datatracker State Update Notice… Stephane Bortzmeyer
- Re: [dns-privacy] Datatracker State Update Notice… Ben Schwartz
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… Vittorio Bertola
- Re: [dns-privacy] Datatracker State Update Notice… S Moonesamy
- Re: [dns-privacy] Datatracker State Update Notice… Andrew Campling
- Re: [dns-privacy] Datatracker State Update Notice… Andrew Campling
- Re: [dns-privacy] Datatracker State Update Notice… Christian Huitema
- Re: [dns-privacy] Datatracker State Update Notice… Brian Dickson
- Re: [dns-privacy] Datatracker State Update Notice… Rob Sayre