Re: [hrpc] Working group last call for draft-irtf-hrpc-guidelines
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 01 July 2021 17:00 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF6993A0AE8 for <hrpc@ietfa.amsl.com>; Thu, 1 Jul 2021 10:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_mcWAqPcdyi for <hrpc@ietfa.amsl.com>; Thu, 1 Jul 2021 10:00:50 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DAA03A0BCA for <hrpc@irtf.org>; Thu, 1 Jul 2021 10:00:02 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 6FC5E280B10; Thu, 1 Jul 2021 18:59:59 +0200 (CEST)
Received: by mx4.nic.fr (Postfix, from userid 500) id 67C7A2810CB; Thu, 1 Jul 2021 18:59:59 +0200 (CEST)
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 5F9DB280B10; Thu, 1 Jul 2021 18:59:59 +0200 (CEST)
Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 5ACD460911A0; Thu, 1 Jul 2021 18:59:59 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id 4AABD3FF0D; Thu, 1 Jul 2021 18:59:34 +0200 (CEST)
Date: Thu, 01 Jul 2021 18:59:34 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Mallory Knodel <mknodel@cdt.org>
Cc: Gurshabad Grover <gurshabad@cis-india.org>, Mallory Knodel <mallory@cdt.org>, "hrpc@irtf.org" <hrpc@irtf.org>, Eliot Lear <lear@lear.ch>
Message-ID: <20210701165934.GA24015@nic.fr>
References: <447c4444-800b-dfb9-de3e-bbbe3bb4ac64@lear.ch> <6b540117-38a6-fbfa-3749-048d14b34f38@cis-india.org> <CAGVFjMK5K_VQWiQCre7r21c+ofasyUshP5wFYSxmjtX5147Q6Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAGVFjMK5K_VQWiQCre7r21c+ofasyUshP5wFYSxmjtX5147Q6Q@mail.gmail.com>
X-Operating-System: Debian GNU/Linux 10.10
X-Kernel: Linux 4.19.0-17-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Bogosity: No, tests=bogofilter, spamicity=0.108235, version=1.2.2
X-PMX-Version: 6.4.9.2830568, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2021.7.1.164216, AntiVirus-Engine: 5.83.0, AntiVirus-Data: 2021.7.1.5830001
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/BDsSrf4CdOo9_h7dQlTb9z62aGY>
Subject: Re: [hrpc] Working group last call for draft-irtf-hrpc-guidelines
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2021 17:00:55 -0000
On Mon, Jun 28, 2021 at 03:14:04PM -0400, Mallory Knodel <mknodel@cdt.org> wrote a message of 145 lines which said: > Here’s that text: https://github.com/mallory/DNS-Privacy. I'm not convinced. This paper has several weaknesses: * it speaks mostly about *one* deployement model of DoT/DoH, and criticize it, instead of promoting other models, * it is very close from the arguments of the Internet access providers (as presented in RFC 8404) "encryption is a problem for us", * with the very same arguments about research and monitoring, we could suppress all encryption. (The paper does not propose a criteria to separate things that have the right to be encrypted and the things that would have to stay in clear. Calling DNS requests "metadata" is may be an attempt to have such a criteria. If so, it is a bad one.) > Making DNS lookup more private for the user affects internet > measurements, consolidates service provision No. There is zero relationship between "making DNS lookup more private" and "consolidates service provision". Big public DNS resolvers existed before DoT and DoH (I bet that the vast majority of requests to 8.8.8.8 and 1.1.1.1 are not over DoT/DoH). Saying that "Making DNS lookup more private for the user consolidates service provision" is like saying SMTP created Gmail. > Making DNS lookup more private for the user [...] risks internet > shutdown for some users This one really upset me. The responsability of Internet shutdowns is 100% on the side of the censors/governments/etc. Accusing the user who tried to improve his/her privacy is a bad idea. For every security measure, the other side will try to find a counter-measure and we don't accuse security measures of being responsible for the nasty effects of these counter-measures. > Needless to say, it is not in the public interest for internet > traffic to be consolidated on only a few network operators. And therefore the solution is to have many secure resolvers (in the same way that the solution to centralized social networks is to have many instances of a decentralized protocol), not to stop deploying DoT/DoH. > App developers on these platforms can now enable encrypted DNS for > app-specific lookups even if the system resolver doesn’t use > encrypted DNS or uses a different resolver. This has nothing to do with DoT or DoH. Applications were always able to have their own resolution. Anyway, the solution is not to drop DoT/DoH (see my remark above about the fact that this paper seems to consider there is only one way to deploy DoT/DoH) but to have the OS resolver use DoT (Android now does it) or DoH (Windows 11 now does it).
- [hrpc] Working group last call for draft-irtf-hrp… Mallory Knodel
- Re: [hrpc] Working group last call for draft-irtf… Eliot Lear
- Re: [hrpc] Working group last call for draft-irtf… Mallory Knodel
- Re: [hrpc] Working group last call for draft-irtf… Gurshabad Grover
- Re: [hrpc] Working group last call for draft-irtf… Mallory Knodel
- Re: [hrpc] Working group last call for draft-irtf… farzaneh badii
- Re: [hrpc] Working group last call for draft-irtf… Eliot Lear
- [hrpc] "DNS Privacy Vs" Re: Working group last ca… Mallory Knodel
- Re: [hrpc] Working group last call for draft-irtf… Stephane Bortzmeyer
- Re: [hrpc] Working group last call for draft-irtf… Eliot Lear
- Re: [hrpc] Working group last call for draft-irtf… Stephen Farrell
- Re: [hrpc] Working group last call for draft-irtf… Eliot Lear
- [hrpc] DNS Privacy Vs. Re: Working group last cal… Mallory Knodel
- Re: [hrpc] Working group last call for draft-irtf… Mallory Knodel