Re: [DNSOP] draft-tale-dnsop-edns-clientid

Ray Bellis <> Wed, 29 March 2017 05:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 029CC129685 for <>; Tue, 28 Mar 2017 22:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bLqOIVMGkJbZ for <>; Tue, 28 Mar 2017 22:27:04 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D7A3A12967B for <>; Tue, 28 Mar 2017 22:27:02 -0700 (PDT)
Received: from ([]:53769 helo=rays-mbp.local) by ([]:465) with esmtpsa ( (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1ct66e-0008LH-EV (Exim 4.72) for (return-path <>); Wed, 29 Mar 2017 06:25:16 +0100
References: <> <> <>
From: Ray Bellis <>
Message-ID: <>
Date: Wed, 29 Mar 2017 00:25:15 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] draft-tale-dnsop-edns-clientid
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Mar 2017 05:27:07 -0000

On 28/03/2017 16:02, Dave Lawrence wrote:

> Understandable.  I honestly have similar reservations.
> One thing that clouds this a little, as far as our draft is concerned,
> is that the ISP's CPE already knows this information so in a sense it
> isn't that a different party is being informed.
> What I'm trying to accomplish with this draft is acknowledge the
> practical realities that this sort of option is already in use on the
> Internet and will continue to be used no matter what the WG does about
> either of our drafts.  I also wanted to drag the PII issues out into
> the open, into one place where they would have to be confronted by
> implementers and operators.
> I fear that a splintered effort on including full client-identifying
> information in several different ways is going to lead to problematic
> fragmentation and harder management.

The examples in your draft appear focused on identifying specific end
user devices, e.g. to selectively enable parental controls on a
per-device basis.

Mine is intended to identify clients based on their presented IP address
(whether that be the public IP address of multiple NATed end users
talking to a recursor, or the external IP address of a recursor talking
to an authoritative server).  The primary purpose is for admission
control (i.e. ACLs).

I therefore think there's a simple test here:

If we can imagine scenarios in which an auth or recursive server that is
behind e.g. a load-balancing proxy needs to know *both* the internal
"client ID" (per your draft) and the client's effective external source
IP address (per mine) then both drafts serve their own distinct purpose
and shouldn't be merged.