[dnsext] Re: Privacy vs EDNS Client IP...
Ted Hardie <ted.ietf@gmail.com> Tue, 02 February 2010 19:59 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B99AE3A6B41; Tue, 2 Feb 2010 11:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.128
X-Spam-Level:
X-Spam-Status: No, score=-106.128 tagged_above=-999 required=5 tests=[AWL=0.471, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HndYTJcM8yvM; Tue, 2 Feb 2010 11:59:40 -0800 (PST)
Received: from psg.com (psg.com [147.28.0.62]) by core3.amsl.com (Postfix) with ESMTP id 4C5693A6B3F; Tue, 2 Feb 2010 11:59:40 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1NcOq6-000PDR-Bw for namedroppers-data0@psg.com; Tue, 02 Feb 2010 19:55:10 +0000
Received: from [209.85.223.204] (helo=mail-iw0-f204.google.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <ted.ietf@gmail.com>) id 1NcOq3-000PCh-RL for namedroppers@ops.ietf.org; Tue, 02 Feb 2010 19:55:07 +0000
Received: by iwn42 with SMTP id 42so547112iwn.9 for <namedroppers@ops.ietf.org>; Tue, 02 Feb 2010 11:55:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ySyC5vscBSFMyu/SddmKlsLFL/l6u4lM8QqvbIUswbU=; b=W83cy8V7rjbZoCqs8GlTrvhjItSWylx4Dzqpvxo8zGPz2nQbgc7yZ0P2TE37oe5E8/ iqMOBYMs5LEt0+DQWnNx3hWN2NFcAW6Z3X4x+DVzk2lvAiWbjNFatlSbaMKOv9OXohh+ ygT7fMGt2zdjrygH7bi8RAHYvREKu9yoMWFvM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ULElheftIB0qzINbzP7nHmV3iw/kF1tufZC6G8OlqZYSsDuYbpPk5/t4/UMEE8fFiM GXOxu3ji0f9lPkpGeRS/NabLsYjJHtKyXiJ+hBdU+oidcJyMAmI+A4jiU96c8DnX9Exg H+cFi0xciIdNS7VMQ1Ny6rsdpr6ekvF4uMWX0=
MIME-Version: 1.0
Received: by 10.142.56.10 with SMTP id e10mr4236494wfa.309.1265140506310; Tue, 02 Feb 2010 11:55:06 -0800 (PST)
In-Reply-To: <E9A13A5C-73A7-4F66-9617-482551A9BA84@ICSI.Berkeley.EDU>
References: <7c31c8cc1001271556w4918093er6e94e07cb92c4dc4@mail.gmail.com> <139D0D6A-5A31-4EE8-88B9-3CACE933187B@icsi.berkeley.edu> <6e04e83a1002010944q7abfabc6h892ce4cbb1bddcbf@mail.gmail.com> <973B1F15-E822-491E-89BF-F09FC7E67509@ICSI.Berkeley.EDU> <6e04e83a1002011109u1cd55c99k8b584648184cdc73@mail.gmail.com> <162E0DB1-EC86-4206-AB36-6FEFA786B24C@ICSI.Berkeley.EDU> <6e04e83a1002011402u395f599g74180d28fdbe5707@mail.gmail.com> <D8848FB8-3523-4580-A93F-764494531788@ICSI.Berkeley.EDU> <6e04e83a1002011640t1b637e30gd7d0150eeb0fae8d@mail.gmail.com> <E9A13A5C-73A7-4F66-9617-482551A9BA84@ICSI.Berkeley.EDU>
Date: Tue, 02 Feb 2010 11:55:06 -0800
Message-ID: <6e04e83a1002021155kcb908b1v71d362e03e7c4002@mail.gmail.com>
Subject: [dnsext] Re: Privacy vs EDNS Client IP...
From: Ted Hardie <ted.ietf@gmail.com>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Cc: John Payne <john@sackheads.org>, Roy Arends <roy@nominet.org.uk>, Wilmer van der Gaast <wilmer@google.com>, namedroppers@ops.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
Comments in-line. On Mon, Feb 1, 2010 at 6:51 PM, Nicholas Weaver <nweaver@icsi.berkeley.edu> wrote: > > On Feb 1, 2010, at 4:40 PM, Ted Hardie wrote: >>> You could consider an automatic opt-in from all clients using third party DNS servers, since they opted in to THAT in the first place. >>> >> >> Except that it wasn't in place when they configured them. So that's a >> post-facto >> opt-in, which doesn't seem much like an opt-in at all. > > Have you read a terms of service that hasn't said "we can do whatever we want whenever we want in the future?" > > You use a third party DNS service, you've already agreed to things like > >> New Features. >> >> OpenDNS may, in the future, offer new services and/or features through the Service (including, the release of new tools and resources). Such new features and/or services shall be subject to these Terms of Use. Your continued use of the Service after the introduction of new features and/or services constitutes your acceptance of the Terms of Use. > Again, I think you're conflating the terms of service for a particular actor with the protocol semantics here. You may be right that some 3rd party agreements allow one of the parties to set the ravish-me bit, but that doesn't make it okay to assume that all DNS users have agreed to the disclosure of this data. This wasn't possible before and they have not opted-in. You and I may disagree about whether or not they should, but let's at least be cleared that they have not. Separately, I agree with Stephane's comments on the method for opting out in the draft requiring work and having potential deployment difficulties. > >>> But if you want to require manual opt-in, you're saying "Kill this proposal" just in kinder language. >>> >> >> Notice that I'm not saying "Don't work on this problem", though. >> If the client included a bit that said "feel free to pass my details on" >> (what GEOPRIV used to call "setting the ravish-me bit") then I >> would have no privacy concern. > > IF the client has to notify that its OK, you are saying kill the proposal. > As I was trying to say in a previous message, there may be ways to get sufficient data from authorities to interested recursive resolver without there being any privacy-related disclosure. I don't know yet how practical they are, but the problem statement: "Authoritative servers wish to provide localized results based on network proximity. What is the best way for interested recursive resolvers and authoritative servers to manage information about these mappings?" does not automatically imply this solution nor any solution that requires divulging which client subnets originated specific queries. > Then the enterprise is being stupid unless all traffic funnels through the same gateway: Not only is it hurting CDN performance, but it is hurting ALL performance, for no real benefit. Agreed, and that's why I said fixing it by encouraging redeployment rather than localization was the appropriate remedy here. > >> No. If a recursive resolver turns this on globally, it will offer the option to >> every authoritative server (see section 4.1 of the draft) and it will pass >> the FAMILY and ADDRESS fields. That information will get passed to >> every authoritative server, whether that server is localizing or not. That's >> the wasted bits/data leakage issue I mentioned. > > But what I am saying is that for 1st party resolvers, BECAUSE the CDN tricks work already, this information is already effectively available for all authorities, this would just give comparable information for the OpenDNS users rather than the Comcast users, or Napanet users, or corporate customers, or.... > We seem to be talking at cross purposes here. Let me try again. This proposal would have the option be present whenever a recursive resolver talks to an authoritative server if it is globally set. That means that this information passes to every authoritative server, whether the authoritative server is localizing information or not. That means the universe of leaked data is not "Users of 3rd party DNS requesting info about localized servers" but potentially "users of 3rd party DNS requesting info from anyone". We don't disagree about whether someone running their own recursive resolver or using a local one is already disclosing (at least I don't think we do). If this is not set globally, then the recursive resolver has to maintain a table or set of rules that notes when it should be sent and when it should not. I'm not sure how it gets knowledge of which services are localized, so it is my expectation that anyone who turned it on would leave it on for all queries to authoritative servers. I could be wrong, of course, and some other pattern might easily emerge. > If this information leakage wasn't already there for the 1st party resolvers, the CDN tricks would never have been developed. This formalizes the information leakage for 3rd party resolvers. > And puts the onus on clients to opt-out of disclosure without knowing whether or not that disclosure is going on upstream of them. > >>> c: Where they don't route the DNS requests through the proxy >>> >> >> Not all proxy deployments permit the DNS request to be routed through >> the proxy. > > SOCKS does, IIRC, its part of the protocol. That firefox doesn't actually do this by default is IMO, a firefox bug. > SOCKS 4 did not; SOCKS 5 added support for it, but in many installations it requires explicitly directing the DNS traffic through the tunnel. SOCKS can leak DNS in cases where the tunnel is set up per application and DNS/UDP is not explicitly redirected. Some other forms of proxy don't handle UDP at all. >> >>> d: Somehow care about privacy despite using a 3rd party DNS service which they explicitly opted-into using in the first place! >>> >>> We can tell A and B, we can't tell C, or D >>> >>> For B: Use a proxy that is in their web browser setting (rather than forced by the network) + use OpenDNS: .77%. Yes, shockingly high, but OpenDNS really is overrepresented in our dataset. >>> >>> A will take a fair bit more work to answer, I need to start thinking on this. >>> >> >> You still seem to be missing the mobile IP case, where there is a long-lived >> tunnel to a home network but a portion of the traffic is originated from a local >> IP. > > Route your DNS through the same portal as your tunnel: > > If you're tunneling your web traffic, tunnel the associated DNS. Puts them on the same privacy footing. > > If you aren't tunneling your web traffic, why in god's name are you tunneling your DNS? > Think of it in VPN terms for a moment. The VPN set-up directs certain IP subnets through the tunnel interface, which can have effects from pointing default through the tunnel to setting up a small number of networks which are routed through the tunnel but leaving all others to be routed outside the tunnel. The resources available through the tunnel can include local file servers, smtp servers, and other services which are not available from outside because of firewall restrictions. The client needs to pass at least the DNS traffic related to those services through the tunnel because of split DNS. It is easier to pass *all* DNS through that tunnel if the set of resources the client is interested is {globally available services, private services available through the tunnel}. When it includes {globally available services, private services available through the tunnel, and private services available locally but not globally} I have to actually associate which domains are served where, and the default can go either to local or tunnel, depending on configuration. Things in MIP-land are a little more complicated yet (service selection options and so on), but this gives you an idea of why the DNS might exit someplace other than the traffic in the presence of a tunnel. > > > And the problem is, ANY "network mapping of requestor" will probably violate your privacy scruples: No, I'm fine with any mapping that the requester agrees to (a non-starter in your option) *or* that is actually a network mapping that doesn't disclose which IP address or subnet generated the request for the mapping. I could achieve that steganographically by putting the "real" request in a flood of requests related to other subnets, but that would be a colossal waste of resources. > > The only OTHER option would be to have the authority's response contain netmask rules and force the CDN processing onto the recursive resolver, which would be a huge shift in burden. > Is the real problem here a shift in burden of, presumably, processing power (since the network traffic might actually be less) or of CDN secret sauce? Because if a zone transfer-like mechanism of mapping info can accomplish this there is zero privacy implication to my mind, and I would be interested to see which of the recursive server operators would say yes to using it. > > >> Someone once called protocol development as an exercise at deciding whose >> ox gets gored. Goring the privacy of someone who doesn't get to be a party to >> the protocol exchange in which the data is distributed doesn't strike me as a >> good idea. Since you've already called me delusional on this point, I doubt >> my own ideas convince you. But I point you to the work of GEOPRIV as an >> existence proof that the IETF as a whole at least once cared about a similar >> issue (and given the services which correlate IP to location, one which is >> a lot closer than the proposal on the table admits). > > You are trying to "protect" the privacy of those who have explicitly and willingly given it up already to a major third party. They have already been a party to willingly giving up their privacy, so if you are going to gore anyone, it should be them. > > We disagree on this point. > > And if you are really concerned about privacy, I'd look at web analytics, that is far far FAR FAR more evil in spraying information around and there IS no opt-out other than technical countermeasures! You are worried about a paper cut (subnet of requester in a DNS message using third party DNS infrastructures) when there is arterial bleeding going on. > And this is unrelated to the work going on here. > > regards, Ted Hardie
- [dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Wilmer van der Gaast
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Tony Finch
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Sean Leach
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Hoffman
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Wilmer van der Gaast
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- [dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Olafur Gudmundsson
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Vixie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Joe Abley
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Mark Andrews
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Olafur Gudmundsson
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Alex Bligh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… George Barwood
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Martin Barry
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Colm MacCárthaigh
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Jim Reid
- [dnsext] stupid dns tricks and transport paths Jim Reid
- Re: [dnsext] stupid dns tricks and transport paths Martin Barry
- [dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
- [dnsext] Privacy in IP address indication (Was: I… Stephane Bortzmeyer
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Florian Weimer
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Marco Davids
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Roy Arends
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Federico Lucifredi
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Hoffman
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… sthaug
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
- [dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Wilmer van der Gaast
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Joe Abley
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Tony Finch
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Privacy in IP address indication (Wa… bmanning
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… bmanning
- Re: [dnsext] Privacy in IP address indication (Wa… Eric Brunner-Williams
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ondřej Surý
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ondřej Surý
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Martin Barry
- [dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Carlo Contavalli
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Paul Hoffman
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… John Payne
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- [dnsext] Incoherency for the greater good, etc., … Edward Lewis
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Martin Barry
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ted Hardie
- [dnsext] Privacy vs EDNS Client IP... Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Brian Dickson
- Re: [dnsext] Privacy vs EDNS Client IP... Jim Reid
- [dnsext] EDNS client IP should be opt-in (Was: I-… Stephane Bortzmeyer
- [dnsext] Re: EDNS client IP should be opt-in (Was… Carlo Contavalli
- [dnsext] Re: EDNS client IP should be opt-in (Was… Ondřej Surý
- [dnsext] Re: EDNS client IP should be opt-in (Was… Stephane Bortzmeyer
- [dnsext] opt-in and draft-vandergaast-edns-client… Jim Reid
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… John Payne
- [dnsext] Re: I-D ACTION:draft-vandergaast-edns-cl… Stephane Bortzmeyer
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Jim Reid
- Re: [dnsext] opt-in and draft-vandergaast-edns-cl… Matthew Dempsky
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Nicholas Weaver
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Matthew Dempsky
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Eric Brunner-Williams
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Jim Reid
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Tony Finch
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Wilmer van der Gaast
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Nicholas Weaver
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Matthew Dempsky
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Ondřej Surý
- [dnsext] something for RFC2671-bis Jim Reid
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Nicholas Weaver
- [dnsext] EDNS behaviour and draft-vandergaast-edn… Jim Reid
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Wilmer van der Gaast
- Re: [dnsext] EDNS behaviour and draft-vandergaast… Nicholas Weaver
- Re: [dnsext] something for RFC2671-bis Michael Graff
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Michael Graff
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Michael Graff
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Matthew Dempsky
- [dnsext] Re: Privacy vs EDNS Client IP... Ted Hardie
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Michael Graff
- Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
- [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
- Re: [dnsext] Re: EDNS client IP should be opt-in … Paul Vixie
- Re: [dnsext] Re: EDNS client IP should be opt-in … Wilmer van der Gaast
- Re: [dnsext] Re: EDNS client IP should be opt-in … Michael Graff
- Re: [dnsext] Re: EDNS client IP should be opt-in … Wilmer van der Gaast
- Re: [dnsext] Re: EDNS client IP should be opt-in … Michael Graff
- Re: [dnsext] Re: EDNS client IP should be opt-in … Nicholas Weaver
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… Mark Andrews
- [dnsext] Re: Privacy vs EDNS Client IP... Ted Hardie
- [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Wilmer van der Gaast
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Paul Vixie
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Matthew Dempsky
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
- Re: [dnsext] Re: I-D ACTION:draft-vandergaast-edn… Wilmer van der Gaast
- Re: [dnsext] Re: Privacy vs EDNS Client IP... William Allen Simpson
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Jacco Tunnissen
- RE: [dnsext] something for RFC2671-bis Greg Daley
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Paul Vixie
- Re: [dnsext] draft-vandergaast-edns-client-ip-00.… John Payne
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Nicholas Weaver
- Re: [dnsext] something for RFC2671-bis Jim Reid
- RE: [dnsext] something for RFC2671-bis Greg Daley
- Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Matthew Dempsky
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Matthew Dempsky
- Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
- Re: [dnsext] Re: Privacy vs EDNS Client IP... bmanning
- Re: [dnsext] Re: Privacy vs EDNS Client IP... Alex Bligh