Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-00.txt
Philip Homburg <pch-dnsop-3@u-1.phicoh.com> Mon, 09 September 2019 13:45 UTC
Return-Path: <pch-b9D3CB0F5@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C5C120825 for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 06:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMk6U0kHsFO4 for <dnsop@ietfa.amsl.com>; Mon, 9 Sep 2019 06:45:18 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2046D120807 for <dnsop@ietf.org>; Mon, 9 Sep 2019 06:45:18 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1i7Jym-0000HKC; Mon, 9 Sep 2019 15:45:16 +0200
Message-Id: <m1i7Jym-0000HKC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Willem Toorop <willem@nlnetlabs.nl>
From: Philip Homburg <pch-dnsop-3@u-1.phicoh.com>
Sender: pch-b9D3CB0F5@u-1.phicoh.com
References: <156802477017.28268.17780089460480647573@ietfa.amsl.com> <86ff56cd-c936-0a81-b276-f4fd61635c7f@nlnetlabs.nl>
In-reply-to: Your message of "Mon, 9 Sep 2019 14:13:01 +0200 ." <86ff56cd-c936-0a81-b276-f4fd61635c7f@nlnetlabs.nl>
Date: Mon, 09 Sep 2019 15:45:14 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7H_6S9hc3xiizv7F4LzUhwEtawY>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 13:45:20 -0000
In your letter dated Mon, 9 Sep 2019 14:13:01 +0200 you wrote: >When implementing DNS Cookies, several DNS vendors found that >impractical as the Client Cookie is typically computed before the Client >IP address is known. Therefore, the requirement to put Client IP address >as input to was removed, and it simply RECOMMENDED to disable the DNS >Cookies when privacy is required. herefore, the requirement to put >Client IP address as input to was removed, and it simply RECOMMENDED to >disable the DNS Cookies when privacy is required. I don't quite understand this. The proposed way of constructing a client cookie: Client-Cookie = MAC_Algorithm(Server IP Address, Client Secret ) means that if a host moves between networks it is quite likely it will continue to use the same cookie. This allows a host to be tracked across networks. Neither RFC 7873 nor this draft has text that requires the host to change the Client Secret when moving to a different link. Most DNS client software is general enough that we cannot rule out that it will be used on a mobile device. So we reach then end of Section 3, which says '[...] simply RECOMMENDED to disable the DNS Cookies when privacy is required' So it seems that this draft implicitly recommends that DNS client cookies are by default disabled and should only be enabled on hosts that have stable IP addresses. If that's the intention, then maybe this can be stated explicitly in the introduction.
- [DNSOP] I-D Action: draft-ietf-dnsop-server-cooki… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Philip Homburg
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Willem Toorop
- [DNSOP] tools issue? was Re: I-D Action: draft-ie… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Willem Toorop
- Re: [DNSOP] [TOOLS-DEVELOPMENT] tools issue? was … Russ Housley
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Philip Homburg
- Re: [DNSOP] [TOOLS-DEVELOPMENT] tools issue? was … Robert Sparks
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Philip Homburg
- Re: [DNSOP] [TOOLS-DEVELOPMENT] tools issue? was … Paul Wouters
- Re: [DNSOP] [TOOLS-DEVELOPMENT] tools issue? was … Russ Housley
- Re: [DNSOP] [TOOLS-DEVELOPMENT] tools issue? was … Robert Sparks
- Re: [DNSOP] [TOOLS-DEVELOPMENT] tools issue? was … Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-c… Philip Homburg