Re: [DNSOP] EDNS0 clientID is a wider-internet question

Paul Vixie <paul@redbarn.org> Tue, 25 July 2017 19:26 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFD2E12EBF4 for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 12:26:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7D8m2TJ8AzP for <dnsop@ietfa.amsl.com>; Tue, 25 Jul 2017 12:26:35 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3633B124234 for <dnsop@ietf.org>; Tue, 25 Jul 2017 12:26:35 -0700 (PDT)
Received: from [10.8.200.238] (unknown [136.179.21.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id EF8C761FF3 for <dnsop@ietf.org>; Tue, 25 Jul 2017 19:26:34 +0000 (UTC)
Message-ID: <59779B68.2000906@redbarn.org>
Date: Tue, 25 Jul 2017 12:26:32 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.16 (Windows/20170718)
MIME-Version: 1.0
To: dnsop <dnsop@ietf.org>
References: <CAKr6gn1mZ7VTfM_wtpFX-G95wg-bWRA_YciZScFvr-YX8eYdWg@mail.gmail.com> <CAPt1N1nutxneiZg1JR90O5vRXVs+0WHvRtHpwCRyn4bXpf6g4A@mail.gmail.com> <CAL9jLaZrsiGZUPJzT1bZG-K2mTt3wP=x05-_Qp=rRh8uaBjS4g@mail.gmail.com> <5D73941C-B108-4A14-AEE5-7A28BCA94373@nohats.ca> <8d27cf2a-a883-7186-11bb-eeacd0bce68c@eff.org> <5976FC55.10301@redbarn.org> <alpine.LRH.2.21.1707250412390.19091@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1707250412390.19091@bofh.nohats.ca>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o7xE5bom7HPGR4NGof-i-4IBCTw>
Subject: Re: [DNSOP] EDNS0 clientID is a wider-internet question
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 19:26:37 -0000


Paul Wouters wrote:
> On Tue, 25 Jul 2017, Paul Vixie wrote:
>
>> users believe that the recursive name server operator has aligned
>> interests, and for that reason one shouldn't say "it's easy to bypass"
>> but rather "end-user cooperation is required."
>
> So if 8.8.8.8 and your local ISP's nameserver do this to track you, what
> choice does an average enduser have?

some of run our own rdns. some use vpn's. some use opendns or similar.

> Because this option trasmits information that is meant to identify
> specific clients

and that's a reason to oppose adoption, as far as i'm concerned.

> You should really have said "This draft attempts to link the DNS query
> to the individual TCP stream following to identify the specific user,
> to then apply specific filtering/censoring/protecting policies to the
> identified individual users (eg children, dissidents) for their own
> good".

that's a significant overstatement. the user is more likely to send an 
http cookie than to have the rdns server send a per-user ID on their 
behalf. moreover, parental controls are a fig leaf, almost a joke, and 
so is dns-level filtering. as i wrote the other day:

<< I fought SOPA not because I believed that content somehow "wanted to
be free", but because this kind of filtering will only be effective
where the end-users see it as a benefit — see it, in other words, as
aligned with their interests. >>

http://www.circleid.com/posts/20170718_nation_scale_internet_filtering_dos_and_donts/

when you invoke "for their own good" you're worrying about internet 
unilateralism that does not actually or in any effective way exist.

if tale wants to create a signaling pattern that's so bypassable that 
noone will ever use it unless they want its impacts, let him.

-- 
P Vixie