Hiding IP when getting key configuration

[martinthomson]

When clients fetch a target's configuration using the well-known URI, they can expose their identity in the form of an IP addres if they do not connect via a proxy or some other IP-hiding mechanism. Clients SHOULD use a proxy or similar mechanism to avoid exposing client IPs to a target.

Fetching key configuration does not necessarily reveal sensitive information other than that the client is interested in the answer. It is worth pointing out that clients that wish to hide any interest in the resources provided by the server might want to break any tie between their IP address and this interest, but there are lots of cases where that is not necessary.

For instance, we might not find it useful to try to hide the fact that Firefox is running on a particular computer. If Firefox requests oblivious key configuration information from our chosen DNS provider, all that we reveal is that Firefox is running, something we will reveal soon afterwards by virtue of establishing TLS connections to a bunch of servers. So there is little value in us protecting this information.

It might be better to frame this in a more nuanced fashion. Talk instead about the consequences of leaking information about interest in the services being offered and how that is tied to network identity unless protective measures are taken (proxy, MASQUE, VPN, Tor, etc...) A "SHOULD" is not appropriate, depending on circumstances.

[tireddy2]

In a typical DNR/DDR use case, the oblivious target will be deployed by the network-provider and it not only knows the client IP address but also the client identity. If the client fetches the key configuration from the oblivious target directly, it would know the client identity interested to use the oblivious target. Most importantly, if the client directly fetches the key configuration from the oblivious target, it is easily susceptible to targeted key configuration attack.