Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-01.txt
Alessandro Ghedini <alessandro@ghedini.me> Wed, 17 July 2019 13:44 UTC
Return-Path: <alessandro@ghedini.me>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480B5120409 for <dns-privacy@ietfa.amsl.com>; Wed, 17 Jul 2019 06:44:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ghedini.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IlDOahh8pTVq for <dns-privacy@ietfa.amsl.com>; Wed, 17 Jul 2019 06:44:51 -0700 (PDT)
Received: from blastoise.ghedini.me (blastoise.ghedini.me [45.32.158.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB169120407 for <dns-privacy@ietf.org>; Wed, 17 Jul 2019 06:44:50 -0700 (PDT)
Received: from localhost (unknown [IPv6:2a06:98c0:1000:8250:d1fb:ce1b:6f8b:4e13]) by blastoise.ghedini.me (Postfix) with ESMTPSA id 53958DF270; Wed, 17 Jul 2019 13:44:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ghedini.me; s=mail; t=1563371089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=998B1u5pfjW+XkDIuHyjAQec/ov814EOd1Gir1TNs1k=; b=ajg/0QAUc328eTmuB9R3Q7stR+rfmymEPsfJfaNY15EmDa9YwHgu+GxaRAzg9eDSN1A0bE S93GYLEiOQlX+o7Xl3LddOV7Mgh55aBwt6XYTxX40JJOBVmPlGL4ZO8N4UC694jY2lV3iV JlZTp7YR7lHDmHtzJxJOgk+MrLX1NUE=
Date: Wed, 17 Jul 2019 14:44:44 +0100
From: Alessandro Ghedini <alessandro@ghedini.me>
To: Ben Schwartz <bemasc@google.com>
Cc: dns-privacy@ietf.org
Message-ID: <20190717134443.GB3647@wakko.flat11.house>
References: <156242998138.15238.11931955927978549044.idtracker@ietfa.amsl.com> <20190706164823.GA29462@pinky.flat11.house> <CAHbrMsDQPq1hMzQViCoihWth2S_uQKvD3XgFnbY5KTW39w0TBg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHbrMsDQPq1hMzQViCoihWth2S_uQKvD3XgFnbY5KTW39w0TBg@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/L7vxpt66or-bx1JVIxzj3eQ7LwE>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 13:44:52 -0000
On Tue, Jul 09, 2019 at 10:25:15PM -0400, Ben Schwartz wrote: > Thanks for writing this up. Your recommendation makes sense to me, and I > think it will be useful in practice. > > One thought: instead of rejecting unsafe 0-RTT data with FormErr, could we > tell servers to reject the early data at the TLS layer to force a > retransmission? That seems like it might be simpler to implement on both > sides, and just as safe. The problem is that the decision of whether you accept or reject early data happens before the application had a chance of actually reading it, so you don't know whether a specific DNS query can be allowed before deciding to reject all of the early data. Also, there could potentially be multiple queries in the early data. HTTP solved this by defining a special HTTP status code that instructs the client to retry only the affected request(s), so the server could, after accepting early data at the TLS layer, execute some of the early data requests but not all of them. Maybe we could do something similar with extended DNS errors (draft-ietf-dnsop-extended-error)? Though I don't know how useful this would be in practice. Cheers
- [dns-privacy] Fwd: New Version Notification for d… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Tom Pusateri
- Re: [dns-privacy] Fwd: New Version Notification f… Ben Schwartz
- Re: [dns-privacy] New Version Notification for dr… Dan Wing
- Re: [dns-privacy] [EXTERNAL] Re: New Version Noti… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Christian Huitema