Re: [dnsext] Re: Privacy vs EDNS Client IP...

William Allen Simpson <william.allen.simpson@gmail.com> Wed, 03 February 2010 19:03 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7928A28C2CC; Wed, 3 Feb 2010 11:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BO4y9qPfdbn; Wed, 3 Feb 2010 11:03:12 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1791F3A68AA; Wed, 3 Feb 2010 11:01:48 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1NckOq-000LnL-Iw for namedroppers-data0@psg.com; Wed, 03 Feb 2010 18:56:28 +0000
Received: from [209.85.217.224] (helo=mail-gx0-f224.google.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <william.allen.simpson@gmail.com>) id 1NckOo-000Lmv-5K for namedroppers@ops.ietf.org; Wed, 03 Feb 2010 18:56:26 +0000
Received: by gxk24 with SMTP id 24so2124931gxk.1 for <namedroppers@ops.ietf.org>; Wed, 03 Feb 2010 10:56:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=/awxILq0HqBia0ifMIkrZUBeb/QYoOE/gg8AQqrs6Ng=; b=PFIvRTnHmJkPo4feI138UrQjk999/yB5jZ88oKjLWVDdPospHTga5YHZem7wXg0cCX UD2CR7ixAsYsyeuypnrY8gXwPYszh2GMBSDnKcQVSPlOkFlfU2x1kUlzLIJuX2HnNK0I yngV4y04iH7U/JTJhaH/69nuFbLwIV81ZjvjA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=qFva6ku6lN23FVhoSHuVnuYXXdSCVzl2EWUKHkX95PgUWA1DYml6tQzJQkKPYO2g5G 4i4tN5o1XaOCNvf9ZJ6H2CJeiHvqWFVzsghoV4ANBkWVUISLgGYAsTDrP5dcfft5n7Fp nc8BrtC7mWokxpuXg+4XKGPR/z1zxGJrjSis8=
Received: by 10.150.213.16 with SMTP id l16mr425872ybg.151.1265223385327; Wed, 03 Feb 2010 10:56:25 -0800 (PST)
Received: from Wastrel.local (c-68-40-195-221.hsd1.mi.comcast.net [68.40.195.221]) by mx.google.com with ESMTPS id 23sm33856iwn.7.2010.02.03.10.56.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 03 Feb 2010 10:56:24 -0800 (PST)
Message-ID: <4B69C6D6.50505@gmail.com>
Date: Wed, 03 Feb 2010 13:56:22 -0500
From: William Allen Simpson <william.allen.simpson@gmail.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Re: Privacy vs EDNS Client IP...
References: <6e04e83a1002010944q7abfabc6h892ce4cbb1bddcbf@mail.gmail.com> <6e04e83a1002011402u395f599g74180d28fdbe5707@mail.gmail.com> <D8848FB8-3523-4580-A93F-764494531788@ICSI.Berkeley.EDU> <6e04e83a1002011640t1b637e30gd7d0150eeb0fae8d@mail.gmail.com> <E9A13A5C-73A7-4F66-9617-482551A9BA84@ICSI.Berkeley.EDU> <6e04e83a1002021155kcb908b1v71d362e03e7c4002@mail.gmail.com> <AB78D628-8A01-4742-B32A-90FC6806201E@ICSI.Berkeley.EDU> <20100203031042.GE1374@vacation.karoshi.com.> <7c31c8cc1002030135w183db140vd1c638bbdc999800@mail.gmail.com> <13956.1265204281@nsa.vix.com> <d791b8791002030637x481dab45mc7270a63a1b24f22@mail.gmail.com> <9A190BC7-D52E-4BF4-825A-F15AB4F7596F@icsi.berkeley.edu>
In-Reply-To: <9A190BC7-D52E-4BF4-825A-F15AB4F7596F@icsi.berkeley.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

I almost overlooked this thread, because it was started as a reply deep
inside another thread.  Stop doing that!

Nicholas Weaver wrote:
> On Feb 3, 2010, at 6:37 AM, Matthew Dempsky wrote:
>>> you may think it's silly that most examples of "how could this violate my
>>> privacy" are of illegal activities which the internet ought probably not
>>> support in any case.  substitute the jailing of a dissident if you wish.
>> I wish you guys would have a consistent stance on privacy.  Apparently
>> letting sniffing attackers see your DNS traffic is of no concern, but
>> letting the authoritative server see it is terrifying.
> 
> They don't actually care about privacy, at least real privacy.  (if you care about privacy, you flip out about google public DNS)
> 
> Rather, they don't like the idea of CDN tricks, and things which would make these tricks continue to work in the face of third party resolvers are to be opposed, so come up with any opposition possible.
> 
> Paul Vixie in particular is a zealot on DNS issues.  EG, Bind does't do 0x20, which is proven safe, and still is pretty damn acceptable on accepting AND PROMOTING glue records.
> 
You've impugned the integrity of one of the foremost DNS developers and
thinkers.  But I've been involved in both DNS and privacy for as long
or longer, and have a pretty consistent stance on privacy....

Paul's correct.  You're wrong.

First of all, you're misusing the term "privacy", and that alone shows
that your thinking (or lack thereof) is not to be trusted on this issue.

  1) Anonymity -- nobody can identify any party, including another party.

  2) Privacy -- only the parties involved can identify each other.

Evesdropping is a violation of privacy, and that is a concern.  However,
it's not solvable by the DNS protocol.  So, it's out of scope here.

Thirdly, any protocol element that is not "opt-in" and reveals an identity
to an uninvolved party is a violation of privacy.  Privacy requires a
choice of the party to the transaction, in both legal and security sense.

There is no difficulty with CDN that uses Internet routing to distribute
traffic.  There have been an awful lot of "stupid DNS tricks" -- they are
bad ideas.

Just because somebody has an idea on how to make money doesn't mean it's a
good idea.