Re: [dns-privacy] [Ext] Fwd: New Version Notification for draft-huitema-dprive-dnsoquic-00.txt

2020-03-06 Thread Paul Hoffman 
Thank you for continuing this interesting work. However, a reader might not 
realize that many other folks would prefer DNS/HTTPS/QUIC until the get all the 
way to Section 3.4. Also, the title of that section seems a bit unbalanced, 
given that the text says that people might prefer DNS/HTTPS/QUIC for reasons 
other than hiding from firewalls.

For a future version of this draft, please consider moving the comparison to 
DNS/HTTPS/QUIC, and the discussion of not knowing which one folks will prefer, 
up to the Introduction. That would leave Section 3.4 just about the stated 
design goal.

--Paul Hoffman

smime.p7s
Description: S/MIME cryptographic signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Fwd: New Version Notification for draft-huitema-dprive-dnsoquic-00.txt

2020-03-06 Thread Tony Finch 
Christian Huitema  wrote:

> We just resubmitted the DNS over QUIC draft to DPRIVE. Thanks in advance
> for the feedback!

Looks promising! I have a few comments:

Is the ALPN "dq" or "doq"? 4.1 and 4.1.1 appear to disagree. 8.1 seems to
disagree with itself.

Section 4.3 (idle timeouts): it's clearly better to use QUIC's facilities
for this, but there could potentially be a conflict with DNS stateful
timeouts (RFC48490) so maybe there needs to be a bit more discussion about
how to resolve disagreements between two protocol layers.

Section 5.4 (response size): there was a HUGE discussion about this in the
context of DoH and the consensus was to retain the 65535 byte message
size limit. DoQ should do the same.

https://mailarchive.ietf.org/arch/msg/doh/fpJSGWI1YtHeTFvmrS7pvB7ZnDA/

The EDNS payload size limit only applies to Do53 UDP and should be ignored
in other transports.

Sections 5.7 and 4.3 seem to be restating the same things in different
ways. They should probably be merged into one.

Section 5.7.1 (connection reuse): possibly also worth stating that servers
should not send responses in order. Maybe refer to RFC7766 which has
similar requirements for TCP.

An editorial suggestion: when referring to RFCs, can you please make it
clear what the reference is about (e.g. the subject of the RFC or name of
protocol) in the paragraph containing the reference, so that readers
can understand the paragraph without having to bounce back and forth to
the references section.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Dover, Wight: Northwest backing west 3 to 5. Slight or moderate. Showers at
first. Good.

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Datatracker State Update Notice:

2020-03-06 Thread Eric Rescorla 
On Mon, Mar 2, 2020 at 7:16 AM Sara Dickinson  wrote:

>
>
> On 29 Feb 2020, at 02:03, Eric Rescorla  wrote:
>
>
>
> On Fri, Feb 28, 2020 at 4:50 PM Brian Dickson <
> brian.peter.dick...@gmail.com> wrote:
>
>>
>>
>> On Fri, Feb 28, 2020 at 3:15 PM Eric Rescorla  wrote:
>>
>>>
>>>
>>> On Wed, Feb 26, 2020 at 6:19 AM Sara Dickinson  wrote:
>>>


 On 23 Jan 2020, at 13:53, Eric Rescorla  wrote:

 On Thu, Jan 23, 2020 at 5:08 AM Sara Dickinson 
 wrote:



 On 20 Jan 2020, at 22:37, Eric Rescorla  wrote:

 Review comments attached:


 COMMENTS
> S 3.1.
> >  described above, and may not have any confidentiality
> requirements.
> >  However, the same is not true of a single transaction or a
> sequence
> >  of transactions; that transaction is not / should not be
> public.  A
> >  typical example from outside the DNS world is: the web site of
> >  Alcoholics Anonymous is public; the fact that you visit it
> should not
> >  be.
>
> Well, technically what you want to conceal is the origin of the
> transaction or its linkage to other transactions. The existence of the
> query for that A record isn't secret.
>
>
> Suggest:
>
> “that transaction (and specifically the origin of that transaction) is
> not / should not be public."
>

 The parenthetical swallows the main sentence. The accurate thing to say
 is:

 In general, the existence of a single query is not sensitive -- though
 there may be exceptions
 for some very low use domains. However, the origin of a given query may
 leak information
 about specific users and the ability to link queries reveals
 information about individual use
 patterns.


 To fit with existing text suggest:

  However, the same is not true of a single transaction or a sequence
  of transactions; those transaction are not / should not be public. A
 single
  transactions reveals both the originator of the query and the query
  contents which potentially leaks sensitive information about a
 specific user. A
  typical example from outside the DNS world is: the web site of
  Alcoholics Anonymous is public; the fact that you visit it should not
  be.

>>>
>>> I find this text a bit clumsy, but OK.
>>>
>>>
>>> Furthermore, the ability to link queries reveals information about
 individual use patterns.

>>>
>>> The key thing is "link queries as being from the same user”
>>>
>>
> OK - will include that.
>
>
>
>>>
 



>
>
>
>
> S 3.4.2.
> >  services available.  Given this, the choice of a user to
> configure a
> >  single resolver (or a fixed set of resolvers) and an encrypted
> >  transport to use in all network environments can actually serve
> to
> >  identify the user as one that desires privacy and can provide an
> >  added mechanism to track them as they move across network
> >  environments.
>
> I don't understand this paragraph. It's not the choice of specific
> resolvers that leaks data, but the choice to turn on encryption, In
> fact, from an identification purpose, the more resolvers that support
> encrypted transport, the better signal this is.
>
>
> This was driven by an observation that many early adopters set up
> their own DoT server and used that from all their devices, which could act
> as a way to identify that user.
>

 1. This seems like an edge case.
 2. We already have plenty of people running their own unencrypted
 resolvers for other reasons.


 I can live with removing this text, but it does seem there is something
 to say about the fact configuring a single resolver for a device could
 differentiate a user….

>>>
>>> Sure, but this has nothing to do with DoH or DoT.
>>>
>>>
>> I think the text might be clearer if the bit "as one that desires privacy
>> and" were removed.
>> The issue isn't whether a specific user desires privacy, it is whether a
>> specific user can be identified and tracked.
>>
>> This RFC update, is about privacy.
>> This particular section is on encrypted transport.
>> This paragraph is highlighting that configuring a static list of
>> resolvers, even if those use encrypted transport, may expose the user to
>> privacy risks due to that constant set of resolvers, as the user moves
>> between networks.
>> And this risk is inversely proportional to the number of users of the
>> resolver.
>> Maybe this last bit needs to be added to emphasis why this is a risk?
>>
>> It's about the fact that DoH/DoT don't protect against this or mitigate
>> it, even if the payload is encrypted. I.e. it doesn't not have anything to
>> do with DoH/DoT; it's bigger than DoH/DoT, and DoH/DoT don't fix the
>> problem.
>>
>
> Yes, I

Re: [dns-privacy] Alexey Melnikov's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)

2020-03-06 Thread Vittorio Bertola 

> Il 05/03/2020 18:13 Ben Schwartz  ha 
> scritto:
> 
> 
> 
> 
> 
> On Thu, Mar 5, 2020, 8:35 AM Sara Dickinson < s...@sinodun.com 
> mailto:s...@sinodun.com > wrote:
> 
> > > How about:
> > 
> > “We do not know of a court precedent relating to the question of 
> > whether simply using a DNS resolution service constitutes consent from the 
> > user for the operator to process their query data"
> > 
> > > 
> That sounds like a significant improvement to me.
> 
> Note that "precedent" is a term used by primarily in "common law" 
> jurisdictions like the UK and US, so it may not be meaningful to all readers: 
>  https://en.wikipedia.org/wiki/Precedent#Civil_law_systems
> 
The concept is well understood in civil law systems as well, just precedents 
are not (that) binding.
Ciao,

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bert...@open-xchange.com mailto:vittorio.bert...@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy