On 09-09-19 15:45, Philip Homburg wrote: > In your letter dated Mon, 9 Sep 2019 14:13:01 +0200 you wrote: >> When implementing DNS Cookies, several DNS vendors found that >> impractical as the Client Cookie is typically computed before the Client >> IP address is known. Therefore, the requirement to put Client IP address >> as input to was removed, and it simply RECOMMENDED to disable the DNS >> Cookies when privacy is required. herefore, the requirement to put >> Client IP address as input to was removed, and it simply RECOMMENDED to >> disable the DNS Cookies when privacy is required. > > I don't quite understand this. > > The proposed way of constructing a client cookie: > Client-Cookie = MAC_Algorithm(Server IP Address, Client Secret ) > > means that if a host moves between networks it is quite likely it will > continue to use the same cookie. This allows a host to be tracked across > networks.
This is true. Including the Client IP in constructing the Client Cookie was intended to deal with this, but this operation is impractical with UDP; expensive at best and not suitable for high volume recursive to authoritative traffic. We could recommend it for stub to recursive traffic, for which the high volume performance requirements are less of an issue... what do you think? > Neither RFC 7873 nor this draft has text that requires the host to change > the Client Secret when moving to a different link. > > Most DNS client software is general enough that we cannot rule out that it > will be used on a mobile device. > > So we reach then end of Section 3, which says '[...] simply RECOMMENDED > to disable the DNS Cookies when privacy is required' > > So it seems that this draft implicitly recommends that DNS client > cookies are by default disabled and should only be enabled on hosts that have > stable IP addresses. > > If that's the intention, then maybe this can be stated explicitly in the > introduction.> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
