Re: [dns-privacy] New Version Notification for draft-ghedini-dprive-early-data-01.txt
Tom Pusateri <pusateri@bangj.com> Wed, 10 July 2019 02:15 UTC
Return-Path: <pusateri@bangj.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9381120048 for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 19:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvftKe2gt2mF for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 19:15:29 -0700 (PDT)
Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8DAD120159 for <dns-privacy@ietf.org>; Tue, 9 Jul 2019 19:15:28 -0700 (PDT)
Received: from [172.16.25.146] (69-77-155-155.static.skybest.com [69.77.155.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id B8731344D0; Tue, 9 Jul 2019 22:15:27 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3564\))
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <73435C5A-3819-4ED3-AC70-CF48AAF5CBA7@cable.comcast.com>
Date: Tue, 09 Jul 2019 22:15:27 -0400
Cc: Alessandro Ghedini <alessandro@ghedini.me>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FA7E5FBD-5286-4BBD-A608-E1D6A6F9D14F@bangj.com>
References: <156242998138.15238.11931955927978549044.idtracker@ietfa.amsl.com> <20190706164823.GA29462@pinky.flat11.house> <73435C5A-3819-4ED3-AC70-CF48AAF5CBA7@cable.comcast.com>
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
X-Mailer: Apple Mail (2.3564)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/-ZI0MS-SwnH3Z3Kk5BgpkJG35fU>
Subject: Re: [dns-privacy] New Version Notification for draft-ghedini-dprive-early-data-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 02:15:32 -0000
This is relevant to the Push Notification draft we’re trying to wrap up. In the last paragraph of section 4, it says: Not all types of DNS queries are safe to be sent as early data. Clients MUST NOT use early data to send DNS Updates ([RFC2136]) or Zone Transfers ([RFC5936]) messages. Servers receiving any of those messages MUST reply with a "FormErr" response code. There isn’t a reason or reference for this claim of not being safe. Can the authors expand on this? Thanks, Tom > On Jul 9, 2019, at 9:10 PM, Livingood, Jason <Jason_Livingood@comcast.com> wrote: > > Just read it - very interesting! Is the bottom line essentially don't do DNS+TLS-1.3+0-RTT? Basically, since 1-RTT isn't a big performance problem, why take the risk of 0-RTT? > > JL > > On 7/6/19, 12:50 PM, "dns-privacy on behalf of Alessandro Ghedini" <dns-privacy-bounces@ietf.org on behalf of alessandro@ghedini.me> wrote: > > Hello, > > On Sat, Jul 06, 2019 at 09:19:41AM -0700, internet-drafts@ietf.org wrote: >> A new version of I-D, draft-ghedini-dprive-early-data-01.txt >> has been successfully submitted by Alessandro Ghedini and posted to the >> IETF repository. >> >> Name: draft-ghedini-dprive-early-data >> Revision: 01 >> Title: Using Early Data in DNS over TLS >> Document date: 2019-07-06 >> Group: Individual Submission >> Pages: 5 >> URL: https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-01.txt >> Status: https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/ >> Htmlized: https://tools.ietf.org/html/draft-ghedini-dprive-early-data-01 >> Htmlized: https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data >> Diff: https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-01 >> >> Abstract: >> This document illustrates the risks of using TLS 1.3 early data with >> DNS over TLS, and specifies behaviors that can be adopted by clients >> and servers to reduce those risks. > > I've been looking for information about using TLS 1.3 0-RTT with DoT, but all I > could find was a discussion from over a year ago on the mailing list: > https://mailarchive.ietf.org/arch/msg/dns-privacy/LKZeOAj7Y4fC-9hRcbX_4KVWu0Y > > So I wrote this document to try and document potential risks as well as capture > requirements for DoT implementations deciding to add support for 0-RTT (RFC8446 > in Appendix E.5 says that "Application protocols MUST NOT use 0-RTT data without > a profile that defines its use). > > Most of the wording comes from RFC8470 and some content from the mailing list > discussion mentioned above, though there are still some things that need to be > filled in or expanded. > > In this new revision I expanded some of the sections as well as included some > editorial fixes. > > The draft is maintained on GitHub at: > https://github.com/ghedo/draft-ghedini-dprive-early-data > > Would be interested to know what people think about this. > > Cheers > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy > > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] Fwd: New Version Notification for d… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Tom Pusateri
- Re: [dns-privacy] Fwd: New Version Notification f… Ben Schwartz
- Re: [dns-privacy] New Version Notification for dr… Dan Wing
- Re: [dns-privacy] [EXTERNAL] Re: New Version Noti… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Christian Huitema