Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edns-client-ip-00.txt

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 29 January 2010 15:02 UTC

Mime-Version: 1.0
Message-Id: <p06240887c787ebb6dafa@[10.20.30.158]>
In-Reply-To: <BB12CD2F-7371-4A45-9FF1-322ABAE84418@hopcount.ca>
References: <7c31c8cc1001271556w4918093er6e94e07cb92c4dc4@mail.gmail.com> <BB12CD2F-7371-4A45-9FF1-322ABAE84418@hopcount.ca>
Date: Thu, 28 Jan 2010 17:45:17 -0800
To: Joe Abley <jabley@hopcount.ca>, Wilmer van der Gaast <wilmer@google.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edns-client-ip-00.txt
Cc: namedroppers@ops.ietf.org
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

At 1:49 PM +1300 1/29/10, Joe Abley wrote:
>On 2010-01-28, at 12:56, Wilmer van der Gaast wrote:
>
>> To summarize the I-D: It specifies an EDNS0 option that carries IP
>> address information (by default only the first 24 bits to preserve
>> privacy) of the user that triggered a DNS resolution.
>
>My initial reading of the proposal suggests that the client that originates the DNS request is the one that MAY populate a client-address option, and that any other resolver or proxy in the chain between the client and a server (cache or authority) which supplies an answer MAY NOT change the client-address option data.
>
>Suppose most clients are numbered using RFC 1918 addresses behind a NAT, and have no trivial way of discovering a non-RFC1918 address that the world might see them as. In that case isn't the address information that ultimately arrives at cache or authority nameservers useless for any purpose other than identifying that RFC 1918 addresses are in use?

Section 4.1 says "An edns-client-ip option MUST never contain a non-public address." To me, that means two things:

- If I'm an end client and I know my address is non-public, I cannot include an edns-client-ip option in my request upstream.

- If I'm a recursive resolver and I get a query that erroneously includes an edns-client-ip option with a non-public address in it, I strip off that option before sending that request upstream.

If I have understood the draft correctly, then the concerns about private addresses their effects on authoritative resolvers are moot.

The biggest stumbling block here is the assumption that developers will know the correct list of non-public addresses. Given lots of deployed counter-examples, that seems like a bad assumption. Specific pointers to specific IANA registries are needed in this draft.

--Paul Hoffman, Director
--VPN Consortium

[dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Wilmer van der Gaast
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Tony Finch
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Sean Leach
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Hoffman
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Wilmer van der Gaast
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
[dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Olafur Gudmundsson
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Joe Abley
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Mark Andrews
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Olafur Gudmundsson
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… George Barwood
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Martin Barry
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Jim Reid
[dnsext] stupid dns tricks and transport paths Jim Reid
Re: [dnsext] stupid dns tricks and transport paths Martin Barry
[dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
[dnsext] Privacy in IP address indication (Was: I… Stephane Bortzmeyer
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Florian Weimer
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Marco Davids
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Roy Arends
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Federico Lucifredi
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Hoffman
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… sthaug
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
[dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Wilmer van der Gaast
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Joe Abley
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Tony Finch
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Privacy in IP address indication (Wa… bmanning
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… bmanning
Re: [dnsext] Privacy in IP address indication (Wa… Eric Brunner-Williams
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ondřej Surý
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ondřej Surý
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Martin Barry
[dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Hoffman
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… John Payne
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
[dnsext] Incoherency for the greater good, etc., … Edward Lewis
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Martin Barry
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
[dnsext] Privacy vs EDNS Client IP... Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Brian Dickson
Re: [dnsext] Privacy vs EDNS Client IP... Jim Reid
[dnsext] EDNS client IP should be opt-in (Was: I-… Stephane Bortzmeyer
[dnsext] Re: EDNS client IP should be opt-in (Was… Carlo Contavalli
[dnsext] Re: EDNS client IP should be opt-in (Was… Ondřej Surý
[dnsext] Re: EDNS client IP should be opt-in (Was… Stephane Bortzmeyer
[dnsext] opt-in and draft-vandergaast-edns-client… Jim Reid
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… John Payne
[dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Jim Reid
Re: [dnsext] opt-in and draft-vandergaast-edns-cl… Matthew Dempsky
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Matthew Dempsky
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Eric Brunner-Williams
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Jim Reid
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Tony Finch
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Wilmer van der Gaast
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Nicholas Weaver
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Matthew Dempsky
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ondřej Surý
[dnsext] something for RFC2671-bis Jim Reid
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Nicholas Weaver
[dnsext] EDNS behaviour and draft-vandergaast-edn… Jim Reid
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Wilmer van der Gaast
Re: [dnsext] EDNS behaviour and draft-vandergaast… Nicholas Weaver
Re: [dnsext] something for RFC2671-bis Michael Graff
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Michael Graff
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Michael Graff
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Matthew Dempsky
[dnsext] Re: Privacy vs EDNS Client IP... Ted Hardie
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Michael Graff
Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
[dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
Re: [dnsext] Re: EDNS client IP should be opt-in … Paul Vixie
Re: [dnsext] Re: EDNS client IP should be opt-in … Wilmer van der Gaast
Re: [dnsext] Re: EDNS client IP should be opt-in … Michael Graff
Re: [dnsext] Re: EDNS client IP should be opt-in … Wilmer van der Gaast
Re: [dnsext] Re: EDNS client IP should be opt-in … Michael Graff
Re: [dnsext] Re: EDNS client IP should be opt-in … Nicholas Weaver
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Mark Andrews
[dnsext] Re: Privacy vs EDNS Client IP... Ted Hardie
[dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
Re: [dnsext] Re: Privacy vs EDNS Client IP... Wilmer van der Gaast
Re: [dnsext] Re: Privacy vs EDNS Client IP... Paul Vixie
Re: [dnsext] Re: Privacy vs EDNS Client IP... Matthew Dempsky
Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Wilmer van der Gaast
Re: [dnsext] Re: Privacy vs EDNS Client IP... William Allen Simpson
Re: [dnsext] Re: Privacy vs EDNS Client IP... Jacco Tunnissen
RE: [dnsext] something for RFC2671-bis Greg Daley
Re: [dnsext] Re: Privacy vs EDNS Client IP... Paul Vixie
Re: [dnsext] draft-vandergaast-edns-client-ip-00.… John Payne
Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
Re: [dnsext] something for RFC2671-bis Jim Reid
RE: [dnsext] something for RFC2671-bis Greg Daley
Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
Re: [dnsext] Re: Privacy vs EDNS Client IP... Matthew Dempsky
Re: [dnsext] Re: Privacy vs EDNS Client IP... Matthew Dempsky
Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
Re: [dnsext] Re: Privacy vs EDNS Client IP... Alex Bligh