On 12/1/13, 1:06 PM, Paul Hoffman wrote: > On Dec 1, 2013, at 12:09 PM, Stephane Bortzmeyer <bortzme...@nic.fr> > wrote: > >> On Wed, Nov 27, 2013 at 09:42:16AM -0800, Paul Hoffman >> <paul.hoff...@vpnc.org> wrote a message of 52 lines which said: >> >>> Ummm, yes, but your message (and the Introduction) made it sound >>> like the emphasis of the draft is on listing the privacy >>> implications, and not the suggested changes to deal with them. >>> Choose a story and stick to it. :-) >> >> Let me rephrase it to be sure I've understood: I should split the >> draft in two, one draft only exposing the privacy issues and >> another one (or several?) describing the proposed solutions. >> Correct? > > Or retitle the draft from "DNS privacy problem statement" to "List of > Solutions for DNS Privacy". When I started reading, I assumed that > this was really a problem statement. That was further emphasized by > the lead-in to Section 5 that says "Remember that the focus of this > document is on describing the threats, not in detailing solutions." > >> If so, what is the opinion of the rest of this working group? > > This still feels like a misuse of the DNSOP WG. The beginning of > Section 5.1.2 declares (I believe correctly) "To really defeat an > eavesdropper, there is only one solution: encryption." The section > then goes on to show why that is not possible with today's protocols. > Thus, this seems exactly wrong for the DNSOP WG. I strongly propose > that this type of DNS work be done in the Applications Area because > it is those applications that need to be analyzed and likely changed > to fit the scenarios you describe.
I see that as an operational problem. Protocol changes are probably not something we should do here by if you need to talk about the problem from the vantage point of a consumer or an operator that seems ok. >>> We haven't gotten into commenting on the stuff in section 5. When >>> we do, I'll point out the futility of gratuitous queries. >> >> Please go ahead, you can discuss any part of the draft you want. > > Here's a start: "Padding the DNS query stream will have a negative > effect on the DNS systems as a whole, but will only thwart passive > surveillance for those attackers who cannot store and process the > larger stream. There is no current evidence that the bad actors in > question have such limitations." > >> >>> "has a relationship" is fairly weak. Rendering the web page >>> returned by a browser query can easily generate 50 DNS queries to >>> places the user has never heard of. Your document needs to cover >>> the privacy implications of DNS requests that were done without >>> intention. Further, the world is more than browsers. The fact >>> that an app I am using is doing a lookup for imap.badplace.org is >>> also important. >> >> Send text :-) > > It's not just added text, and nor does it have a smiley. It is a > completely different view than what you have in the current > document. > >> I suggest not to do this myself but to point to the various studies >> using the DNS traffic to find out what the people are doing. Would >> it address your request? > > Not really, because almost no one reading this document will actually > read the studies. It would be better if the draft itself described > what we know about how users' applications tend to do DNS requests > for the users and not make any implication that the user understands > this. > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop