Re: [DNSOP] EDNS0 clientID is a wider-internet question

Paul Vixie <> Tue, 25 July 2017 19:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DFD2E12EBF4 for <>; Tue, 25 Jul 2017 12:26:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R7D8m2TJ8AzP for <>; Tue, 25 Jul 2017 12:26:35 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3633B124234 for <>; Tue, 25 Jul 2017 12:26:35 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id EF8C761FF3 for <>; Tue, 25 Jul 2017 19:26:34 +0000 (UTC)
Message-ID: <>
Date: Tue, 25 Jul 2017 12:26:32 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.16 (Windows/20170718)
MIME-Version: 1.0
To: dnsop <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] EDNS0 clientID is a wider-internet question
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Jul 2017 19:26:37 -0000

Paul Wouters wrote:
> On Tue, 25 Jul 2017, Paul Vixie wrote:
>> users believe that the recursive name server operator has aligned
>> interests, and for that reason one shouldn't say "it's easy to bypass"
>> but rather "end-user cooperation is required."
> So if and your local ISP's nameserver do this to track you, what
> choice does an average enduser have?

some of run our own rdns. some use vpn's. some use opendns or similar.

> Because this option trasmits information that is meant to identify
> specific clients

and that's a reason to oppose adoption, as far as i'm concerned.

> You should really have said "This draft attempts to link the DNS query
> to the individual TCP stream following to identify the specific user,
> to then apply specific filtering/censoring/protecting policies to the
> identified individual users (eg children, dissidents) for their own
> good".

that's a significant overstatement. the user is more likely to send an 
http cookie than to have the rdns server send a per-user ID on their 
behalf. moreover, parental controls are a fig leaf, almost a joke, and 
so is dns-level filtering. as i wrote the other day:

<< I fought SOPA not because I believed that content somehow "wanted to
be free", but because this kind of filtering will only be effective
where the end-users see it as a benefit — see it, in other words, as
aligned with their interests. >>

when you invoke "for their own good" you're worrying about internet 
unilateralism that does not actually or in any effective way exist.

if tale wants to create a signaling pattern that's so bypassable that 
noone will ever use it unless they want its impacts, let him.

P Vixie