Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Apr 7, 2020 at 8:40 AM Vittorio Bertola <
vittorio.bertola@open-xchange.com> wrote:

>
> Il 07/04/2020 17:23 Eric Rescorla <ekr@rtfm.com> ha scritto:
>
>
>
> On Tue, Apr 7, 2020 at 7:38 AM Sara Dickinson < sara@sinodun.com> wrote:
>
> The goal of this text is to enumerate for the end user the privacy
> considerations of using such an application so I propose this text:
>
> "For users to have the ability to manage the application-specific DNS
> settings in a similar fashion to the OS DNS settings, each application also
> needs to expose the default settings to the user, provide a configuration
> interface to change them, and support configuration of user specified
> resolvers.
>
> If all of the applications used on a given device also provide a setting
> to use the system resolver, then the device can be reverted to a single
> point of control for all DNS queries. If not, then (depending on the
> application and transport used for DNS queries) users should take note that
> they may not be able to inspect all their DNS queries or manage them to set
> device wide controls e.g. domain based query re-direction or filtering. “
>
>
> I don't think this addresses my concern, because "revert" implies that
> this is somehow the default situation, which, as I said, is not clearly the
> case because applications have been doing their own resolution for some
> time.
>
> In the interest of moving forward, i suggest you change the term
> "reverted" to "configured" and add at the end "Note that this does not
> guarantee controlling malware name resolution as it can simply ignore
> whatever the system resolver and any user configuration settings.."
>
> I don't understand where in the proposed text there was a reference to
> malware that prompted further discussion of the effectiveness of using DNS
> to counter it. In any case, if we think that we need to discuss this topic
> at that point in the draft, one should also note that there also are ways
> to prevent malware from reaching a different resolver, though they are less
> likely to work once connections are encrypted, etc. But I think that this
> would make reaching consensus even harder, so perhaps we could avoid doing
> so and just focus on suggestions related to application configuration.
>

Well, I would be happy to strike this text entirely. However, the text
speaks of "control" and if we're going to say that, we should acknowledge
that the system DNS is not going to let you control malicious applications
because malware can just do its own resolution. As it is, I think the text
gives a false impression

-Ekr

-- 
>
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
> vittorio.bertola@open-xchange.com
> Office @ Via Treviso 12, 10144 Torino, Italy
>
>