Re: [DNSOP] EDNS0 clientID is a wider-internet question

Paul Vixie <paul@redbarn.org> Tue, 25 July 2017 08:07 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DE7312F280 for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 01:07:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gf-0Zj-mmX5K for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 01:07:52 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C548F127978 for <dnsop@ietf.org>; Tue, 25 Jul 2017 01:07:52 -0700 (PDT)
Received: from [10.8.200.238] (unknown [136.179.21.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 2DADA61FF3; Tue, 25 Jul 2017 08:07:52 +0000 (UTC)
Message-ID: <5976FC55.10301@redbarn.org>
Date: Tue, 25 Jul 2017 01:07:49 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.16 (Windows/20170718)
MIME-Version: 1.0
To: Jacob Hoffman-Andrews <jsha@eff.org>
CC: Paul Wouters <paul@nohats.ca>, Christopher Morrow <morrowc.lists@gmail.com>, dnsop WG <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>, George Michaelson <ggm@algebras.org>
References: <CAKr6gn1mZ7VTfM_wtpFX-G95wg-bWRA_YciZScFvr-YX8eYdWg@mail.gmail.com> <CAPt1N1nutxneiZg1JR90O5vRXVs+0WHvRtHpwCRyn4bXpf6g4A@mail.gmail.com> <CAL9jLaZrsiGZUPJzT1bZG-K2mTt3wP=x05-_Qp=rRh8uaBjS4g@mail.gmail.com> <5D73941C-B108-4A14-AEE5-7A28BCA94373@nohats.ca> <8d27cf2a-a883-7186-11bb-eeacd0bce68c@eff.org>
In-Reply-To: <8d27cf2a-a883-7186-11bb-eeacd0bce68c@eff.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GK_ZyYdjn10n-5ufbWwCWgOy5Bw>
Subject: Re: [DNSOP] EDNS0 clientID is a wider-internet question
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 08:07:54 -0000


Jacob Hoffman-Andrews wrote:
> I agree: The EDN0 Client ID draft seems quite bad from a privacy
> perspective, and I believe it should not be adopted.
>
> More broadly, enforcing content blocks with DNS is an anti-pattern. If
> we're assuming that the entity doing the content blocking has
> administrative access to DNS clients, they can simply install content
> blockers there.

i think content blocking is a reach -- in your interpretation.

this is about CDN. as in, how to decide which address record set to give 
a dns client, given that all you know is the recursive server address, 
yet you're trying to implement policy for an expected tcp session that 
might immediately follow.

> ... The draft even acknowledges the ineffectiveness of DNS-based content
> blocking:
>
>>    DNS filtering products are easy circumvented and should not be
>>    considered real security measures.  With commonly available tools it
>>    is trivial to discover the non-filtered DNS responses and use them in
>>    place of the filtered responses.
>
> So it seems incorrect to propagate a privacy-harming DNS extension that
> is ineffective at its stated goals.

your reasoning is flawed. there are indeed privacy problems here. the 
data miners and data scientists and aggregators of the world will have a 
much better idea which end user a dns request was generated for, in the 
case where all they see is above the recursive not below, and this 
option is used. that's a fine reason to oppose adoption.

but it's got precious little to do with content filtering. as i wrote in 
a recent circleid article, dns-level content filtering will only work 
when end users believe that the recursive name server operator has 
aligned interests, and for that reason one shouldn't say "it's easy to 
bypass" but rather "end-user cooperation is required."

this draft would be more adoption-worthy if it used similar language.

see also:

http://www.circleid.com/posts/20170718_nation_scale_internet_filtering_dos_and_donts/

-- 
P Vixie