Re: [dnsext] afasterinternet.com trial and draft-vandergaast-edns-client-subnet-00

[Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>]

On Sep 6, 2011, at 10:40 AM, Ted Hardie wrote:
>> a)  Does it matter?
>> 
>> b)  Do a query with EDNS0 client subnet and see what happens.
>> 
> 
> The upshot of this is that SM is right:  clients who do not wish to
> provide a client
> identifier will have to update their software to achieve this goal,
> since they cannot
> identify whether a service is using it without that update.
> 
> regards,

But at the same time, what information is being leaked to whom?  

Which is the only reason why a client would want to disable this at all, and the only reason to argue for "opt-in" rather than "opt-out" on the client viewpoint.  (Yes, this zombie keeps rising.) 


NO information is being leaked TO the recursive resolver, it already gets all this information.


The only information leakage is SUBNET (NOT IP address), TO the authority for the domain.  

Which would ONLY be an information leakage at all if either:

a)  The authority is NOT responsible for operating the final server the client eventually contacts 
or
b)  The client does NOT use the DNS record to contact a server belonging to the authority
or
c)  The client uses a broken tunnel, contacting the final server from a different IP from that used by DNS.



And this is ONLY necessary for out-of-path resolvers (eg, Google Public DNS, OpenDNS), where in almost all cases the user has already explicitly opted in!  

No other resolver really benefits from supporting this anyway, as most of the big nation-spanning ISPs have already gone with a distributed DNS infrastructure, so the IP address of the query to the authority is already giving the authority of the domain information roughly equivalent to what EDNS-client-subnet provides.