Re: [dns-privacy] New Version Notification for draft-ghedini-dprive-early-data-01.txt
Dan Wing <danwing@gmail.com> Wed, 10 July 2019 03:24 UTC
Return-Path: <danwing@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E652212013B for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 20:24:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.703
X-Spam-Level:
X-Spam-Status: No, score=-0.703 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5OHo_yz-xrA for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 20:24:31 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EBF81200E5 for <dns-privacy@ietf.org>; Tue, 9 Jul 2019 20:24:31 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id b13so380052pfo.1 for <dns-privacy@ietf.org>; Tue, 09 Jul 2019 20:24:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Wx1wI4gMMZrNrlakVQE++32whp9o5qj96PaEGa2y0ok=; b=Vn+NI1hRcpXQnFMZX6wpDoFBUnKO5yGVJqcDH9OMX+J87JM0s0Lr/WJhWD2UCGDItK JSN1kT9kI4np5+TQyhwvMI6w12PwKlfZ1J9LiE5TvP49KK4sitMGVeO7fWh+HaXCo392 0hyvWNfnqevdO1Vw/Ho9ChMhM/YHtZo0Ipuce0/M8rjG7ZRCB2NEw02viEkzTsVgOzTF OPuRtsdoqNpeF3s40zWfc7gK5YoyP9pKrD3o0bk7RGM8gl3TwAf7AjmyBNo19xvTRYT1 B4j0JiF6nUzjrnUoIJ7wZ3XkAKEONI9du0Xel85LufRVq6jMtfy4F67ajBgCyZ202U6a LoIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Wx1wI4gMMZrNrlakVQE++32whp9o5qj96PaEGa2y0ok=; b=hi1MZgAtC7F04RsEKS6kU19D0GuKzofjZF6EAxbeH0buMdhaKRyZQCQ53nB7rtowEQ EQQkY4hxtvcCRjohAR6IBxwQAY/2zxC3DTStwfqs1IysNFX/0SUDHt4ZPOmMIC5gxtF3 CCt2U9WsZraJvNYMyHiphyuuVILENp42qkWgBoZhSmh8fk+9FNjCJClTb0gFm0vP5xZy /s0MoZ3iQeUt7gUchRmYV4JCGKPMlDdwGBAFmAIzZsw4HSbiGOqv8Qdh8YEe5lcUEDci AcYY11kwYzktxyyaoda0xP9+1FviE2/qwGuY++EXdjQ2Yt5juQwGAy2lo/J2DmIrG31i K04g==
X-Gm-Message-State: APjAAAWeEag2BcAOUm7wdqfFaovn3PnEiCEQ69hhIqI9wof35Do58/Wa ra3NKiwB2CUViDQEzr3+0PQMSQ0VOj4=
X-Google-Smtp-Source: APXvYqxOa7d4fY8S5tOFp6fHQ01tu6ail3kUnAZeW/5/6BoZmP2WGMFfRrps0JaxEGhAMYpq9950rQ==
X-Received: by 2002:a63:7b4d:: with SMTP id k13mr23357352pgn.182.1562729070293; Tue, 09 Jul 2019 20:24:30 -0700 (PDT)
Received: from sjcldanwi.lan ([75.111.84.113]) by smtp.gmail.com with ESMTPSA id w16sm486707pfj.85.2019.07.09.20.24.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jul 2019 20:24:29 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <FA7E5FBD-5286-4BBD-A608-E1D6A6F9D14F@bangj.com>
Date: Tue, 09 Jul 2019 20:24:28 -0700
Cc: "Livingood, Jason" <Jason_Livingood@comcast.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B3A071DE-73C1-46D9-BA62-B06CBAC5BCD3@gmail.com>
References: <156242998138.15238.11931955927978549044.idtracker@ietfa.amsl.com> <20190706164823.GA29462@pinky.flat11.house> <73435C5A-3819-4ED3-AC70-CF48AAF5CBA7@cable.comcast.com> <FA7E5FBD-5286-4BBD-A608-E1D6A6F9D14F@bangj.com>
To: Tom Pusateri <pusateri@bangj.com>, Alessandro Ghedini <alessandro@ghedini.me>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ILN6OLJhYDoaaiOYapAtB8glawE>
Subject: Re: [dns-privacy] New Version Notification for draft-ghedini-dprive-early-data-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 03:24:33 -0000
On Jul 9, 2019, at 7:15 PM, Tom Pusateri <pusateri@bangj.com> wrote: > This is relevant to the Push Notification draft we’re trying to wrap up. > > In the last paragraph of section 4, it says: > Not all types of DNS queries are safe to be sent as early data. > Clients MUST NOT use early data to send DNS Updates ([RFC2136]) or > Zone Transfers ([RFC5936]) messages. Servers receiving any of those > messages MUST reply with a "FormErr" response code. > > There isn’t a reason or reference for this claim of not being safe. Can the authors expand on this? Thanks for writing this up, Allesandro. Tom, both of those DNS messages are not queries -- they change the state of the server. The concern is replay attacks, I expect. Text should be updated to be clear on why, for sure. Slightly later the text suggests a whitelist vs blacklist. I think this needs to be in an IANA registry indicating which DNS messagese are allowed for early data. Implementation guidance should encourage a whitelist on the server, IMHO. -d > Thanks, > Tom > > >> On Jul 9, 2019, at 9:10 PM, Livingood, Jason <Jason_Livingood@comcast.com> wrote: >> >> Just read it - very interesting! Is the bottom line essentially don't do DNS+TLS-1.3+0-RTT? Basically, since 1-RTT isn't a big performance problem, why take the risk of 0-RTT? >> >> JL >> >> On 7/6/19, 12:50 PM, "dns-privacy on behalf of Alessandro Ghedini" <dns-privacy-bounces@ietf.org on behalf of alessandro@ghedini.me> wrote: >> >> Hello, >> >> On Sat, Jul 06, 2019 at 09:19:41AM -0700, internet-drafts@ietf.org wrote: >>> A new version of I-D, draft-ghedini-dprive-early-data-01.txt >>> has been successfully submitted by Alessandro Ghedini and posted to the >>> IETF repository. >>> >>> Name: draft-ghedini-dprive-early-data >>> Revision: 01 >>> Title: Using Early Data in DNS over TLS >>> Document date: 2019-07-06 >>> Group: Individual Submission >>> Pages: 5 >>> URL: https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-01.txt >>> Status: https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/ >>> Htmlized: https://tools.ietf.org/html/draft-ghedini-dprive-early-data-01 >>> Htmlized: https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data >>> Diff: https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-01 >>> >>> Abstract: >>> This document illustrates the risks of using TLS 1.3 early data with >>> DNS over TLS, and specifies behaviors that can be adopted by clients >>> and servers to reduce those risks. >> >> I've been looking for information about using TLS 1.3 0-RTT with DoT, but all I >> could find was a discussion from over a year ago on the mailing list: >> https://mailarchive.ietf.org/arch/msg/dns-privacy/LKZeOAj7Y4fC-9hRcbX_4KVWu0Y >> >> So I wrote this document to try and document potential risks as well as capture >> requirements for DoT implementations deciding to add support for 0-RTT (RFC8446 >> in Appendix E.5 says that "Application protocols MUST NOT use 0-RTT data without >> a profile that defines its use). >> >> Most of the wording comes from RFC8470 and some content from the mailing list >> discussion mentioned above, though there are still some things that need to be >> filled in or expanded. >> >> In this new revision I expanded some of the sections as well as included some >> editorial fixes. >> >> The draft is maintained on GitHub at: >> https://github.com/ghedo/draft-ghedini-dprive-early-data >> >> Would be interested to know what people think about this. >> >> Cheers >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy >> >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] Fwd: New Version Notification for d… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Tom Pusateri
- Re: [dns-privacy] Fwd: New Version Notification f… Ben Schwartz
- Re: [dns-privacy] New Version Notification for dr… Dan Wing
- Re: [dns-privacy] [EXTERNAL] Re: New Version Noti… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Christian Huitema