Re: [DNSOP] EDNS0 clientID is a wider-internet question

Paul Wouters <paul@nohats.ca> Tue, 25 July 2017 08:22 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9248F127978 for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 01:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BD_2kshX1dcD for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 01:22:34 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F6BB1200F3 for <dnsop@ietf.org>; Tue, 25 Jul 2017 01:22:34 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xGrnz2PHxz3Nr for <dnsop@ietf.org>; Tue, 25 Jul 2017 10:22:31 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1500970951; bh=7/+pvcqn6OkN+ivsLEyd7tqp201lOkodNHBzXcFSvRk=; h=Date:From:To:Subject:In-Reply-To:References; b=aw6/YU0++smls2ZCNnqWzuwghxbSzzBV+LGEPVZ2sPyXyEYi3E4vX9ldGeMgBzWE2 fF7mtcsnDJ/wZGUdl1K1rF1unUe9xd6mP0e8H2EFc/hxDh1BJUebxbAja/ojn1hU9n kmQ32ALD7UqAJNeASqfEgPfXG3/QGfEdWUxBgo4g=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id jPd6vxl0lXQt for <dnsop@ietf.org>; Tue, 25 Jul 2017 10:22:30 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Tue, 25 Jul 2017 10:22:29 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C8B9630AFA2; Tue, 25 Jul 2017 04:22:28 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca C8B9630AFA2
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B1FF240D3592 for <dnsop@ietf.org>; Tue, 25 Jul 2017 04:22:28 -0400 (EDT)
Date: Tue, 25 Jul 2017 04:22:28 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <5976FC55.10301@redbarn.org>
Message-ID: <alpine.LRH.2.21.1707250412390.19091@bofh.nohats.ca>
References: <CAKr6gn1mZ7VTfM_wtpFX-G95wg-bWRA_YciZScFvr-YX8eYdWg@mail.gmail.com> <CAPt1N1nutxneiZg1JR90O5vRXVs+0WHvRtHpwCRyn4bXpf6g4A@mail.gmail.com> <CAL9jLaZrsiGZUPJzT1bZG-K2mTt3wP=x05-_Qp=rRh8uaBjS4g@mail.gmail.com> <5D73941C-B108-4A14-AEE5-7A28BCA94373@nohats.ca> <8d27cf2a-a883-7186-11bb-eeacd0bce68c@eff.org> <5976FC55.10301@redbarn.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bIYsjt-R1RXvsibHeYdDLGMNrSg>
Subject: Re: [DNSOP] EDNS0 clientID is a wider-internet question
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 08:22:35 -0000

On Tue, 25 Jul 2017, Paul Vixie wrote:

> users believe that the recursive name server operator has aligned interests, 
> and for that reason one shouldn't say "it's easy to bypass" but rather 
> "end-user cooperation is required."

So if 8.8.8.8 and your local ISP's nameserver do this to track you, what
choice does an average enduser have?

> this is about CDN. as in, how to decide which address record set to give
> a dns client, given that all you know is the recursive server address,
> yet you're trying to implement policy for an expected tcp session that
> might immediately follow.

This draft, unlike ECS, is about pinning individual users and tracking
them. You saying this is needed for an optimized CDN based TCP stream
is not fairly covering the use case of gathering PII.

 	Because this option trasmits information that is meant to identify
 	specific clients

You should really have said "This draft attempts to link the DNS query
to the individual TCP stream following to identify the specific user,
to then apply specific filtering/censoring/protecting policies to the
identified individual users (eg children, dissidents) for their own
good".

If you just wanted CDN optimalization, the ISP recursive server could
simply use ECS.

Paul