[atlas] EDNS Client Subnet

On Mon, Jan 28, 2019 at 1:41 PM Philip Homburg <philip.homburg at ripe.net>
wrote:

> On 2019/01/28 14:33 , Rami Al-Dalky wrote:
> > When I tried to create a DNS measurement, I found that the only way to
> > send DNS query with option is to set default_client_subnet to True.
> > However, by setting this option, a DNS query will be sent with 0.0.0.0/0
> > <http://0.0.0.0/0> as client subnet.
> >
> > Is there a reason why ECS is implemented that way? If it for privacy
> > issue, the RFC recommends to sent the client IP with /24 prefix for IPv4
> > and /56 for IPv6 to preserve the privacy.
>
> Let me point out that we chose 0.0.0.0/0 to avoid all privacy issues.
> The recommendation just reduces privacy issues.
>
>
What privacy issues are concerned when allowing a measurement creator to
specify an ECS value that the probe should send along with DNS queries? Is
it that some actors on the Internet might assume that the arbitrary ECS
value actually originated the DNS query without any validation? I think
this becomes a non-issue if you restrict the ECS prefix length to something
sane like <=24.


> At the same time, it was not clear to us what additional benefit it
> would bring to RIPE Atlas measurements to include longer prefixes. In
> particular, we assumed that the main purpose of this option would be to
> measure interference by firewalls or other middle boxes.
>
>
I think the benefit here is somewhat clear for measuring the behavior of
recursive resolvers and authoritative nameservers when ECS data is present.


> Philip
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/ripe-atlas/attachments/20190131/c4ef2597/attachment.html>