On Jul 24, 2017, at 8:59 PM, Christopher Morrow <morrowc.li...@gmail.com> wrote: > and at the cache->auth layer it's potentially the case that the provider can > say: "use precision of /24" or "use precision of /17" ? So, there's really > not much "pii" that can be worried over at the provider-cache-resolver (they > already know who you are...) and they (provider) can decide how much > granularity is "important" to release to the upstream authoritative cache.
There is no such thing as an upstream authoritative cache. The filtering is being done at the cache. This is not client subnet: this is client ID. So the cache, which is not authoritative, is receiving PII about a specific client machine. Being able to filter the PII at the CPE would indeed improve privacy in this case; the problem is that the CPE has to have a UI or API that allows that to happen, and they don't. The reason DNS filtering is useful is not that it is forced upon the end user, but that it allows devices that use the default cache to get filtering in a way that does not depend on the software installed on them. So e.g. your IoT device can be infected by a worm but not actually exfiltrate any private information to the attacker, because the attacker's DNS is blocked. Being able to know that a particular device is a particular device is actually quite useful in this context; unfortunately, there is no way to distinguish "useful" and "personally-identifying". Even if you only identify the IoT devices in your home, by doing so you reduce the search space for identifying the other devices.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
