IETF Logo Mail Archive

Re: [DNSOP] Proposal: Whois over DNS

John Bambenek <jcb@bambenekconsulting.com> Tue, 09 July 2019 18:04 UTC

Return-Path: <jcb@bambenekconsulting.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAC9F1208F6 for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2019 11:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.289
X-Spam-Level:
X-Spam-Status: No, score=-4.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bambenekconsulting.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UmNFzDcIJ0Dy for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2019 11:04:25 -0700 (PDT)
Received: from chicago.bambenekconsulting.com (chicago.bambenekconsulting.com [99.198.96.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 808721208F2 for <dnsop@ietf.org>; Tue, 9 Jul 2019 11:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bambenekconsulting.com; s=default; h=Content-Transfer-Encoding:Content-Type :In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject: Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Bw0nfucqtPY5BqrqpqeFGsV47iKCe/sVt4g9fRsa3S4=; b=JcMQ4cgV2DxNZ6u2yAqAoguy09 8yw5FR20FUqdE/2K8+Lu+nnmqkhv9GOfcXzUU0Xw3f5rXSoMjIraHxRSSgaYLwKNBLzE5C5HGLXFS +a0pHtBSTMHe1hjq2+PtMYlTDAQitJGrZZtTRNlyYYOA/V/FhM60NBeDEQuKtKaFlQGQ=;
Received: from [216.169.1.210] (port=18227 helo=jcb.local) by chicago.bambenekconsulting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <jcb@bambenekconsulting.com>) id 1hkuTO-0004Zl-0H; Tue, 09 Jul 2019 14:04:14 -0400
To: Bjarni Rúnar Einarsson <bre@isnic.is>
Cc: dnsop@ietf.org
References: <23e86618-610f-8b49-a3bc-4417ebc28efd@bambenekconsulting.com> <YDgWic8mGpxJeIMdsWLQJ8o4cTsEx4k7MecSj2522353@mailpile>
From: John Bambenek <jcb@bambenekconsulting.com>
Openpgp: preference=signencrypt
Message-ID: <d421a54f-ef91-9527-c2d2-88fbd00bbc59@bambenekconsulting.com>
Date: Tue, 09 Jul 2019 13:04:13 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <YDgWic8mGpxJeIMdsWLQJ8o4cTsEx4k7MecSj2522353@mailpile>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - chicago.bambenekconsulting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bambenekconsulting.com
X-Get-Message-Sender-Via: chicago.bambenekconsulting.com: authenticated_id: jcb@bambenekconsulting.com
X-Authenticated-Sender: chicago.bambenekconsulting.com: jcb@bambenekconsulting.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/99Wz1FKJPIcG7zISUMaz6Hji6no>
Subject: Re: [DNSOP] Proposal: Whois over DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 18:04:28 -0000

> John Bambenek <jcb=40bambenekconsulting.com@dmarc.ietf.org>
> wrote:
>
> > But is the risk to self-identification as present when
> > role-based accounts could be used as opposed to PII? I guess
> > I'm not understanding the risks of people accidentally
> > disclosing what they don't intend to.
>
> The risk is this: until people have been burned by over-sharing
> sensitive information, most are very ill informed about the fact
> that sharing is risky at all.
>
> People literally won't understand that listing their name and
> phone number, to assert ownership of a domain, ALSO exposes that
> data to any creative criminal who knows how to wield dig as part
> of preparing their spear-phishing campaign (as a random example).
> Or expose their current address to a vindictive ex.
>
> Most people won't understand this until it's too late, until
> they've been burned.

But are these the unsophisticated users the ones who are going to adopt
this? Can't this be mitigated by any number of forms of user education?
If we're talking about those who don't know about over-exposing
sensitive information, those are the ones exposing a great deal on
twitter, facebook, et al, or sending nudes over texts. We're talking
about putting an email address on a DNS record here. If you own a domain
in the first place, some level of knowledge should be presumed. If
you're running your own DNS server, odds are you know SOMETHING. And if
you are having the registrar (or whomever) host your DNS, then a popup
that says "are you sure?" could help here.

The risks of "over-sharing" are inherent in having a domain in the first
place, in my mind. Am I wrong in that position?

>
> Many domain owners are barely technically literate, DNS is not
> just used by medium and large organizations with dedicated IT
> staff. Many domain owners do not have an "organizational role" to
> list, even if that were the encouraged default option.
>
> Understanding how your data puts you at risk requires both
> thinking in an adversarial way, and requires understanding how
> the technology works. Very few people have that combination of
> skills, even within tech.
>
> As a result, the only reasonable assumption is that any system
> which encourages the collection (let alone the publication) of
> personal data must be considered risky, even dangerous. We have
> too many such systems as it is, we need to think very carefully
> and need strong justification for creating more of them.
>
> Another way to put it: if a system requires you think and
> exercise care to stay safe, that means the system itself is by
> default unsafe. Building unsafe systems is not good engineering
> practice.
>
Devil's advocate, and my intent is not argumentative. All this is true
in having a domain (or a social media account, really). I only allow for
someone to optionally put in a name, email, address, and phone number
into DNS. If you have a domain, odds are you have a website if they are
the above class of person. A website allows you to literally publish
whatever you want. One could put their tax returns on their website.

If the standard is "Let's not let people put an email address in DNS
because some subset of people can't understand the risks", hasn't that
ship already sailed by letting them have a website (were odds are, they
are publishing contact info), an email account, or access to social media?

v2.23.0 | Report a Bug | By Email