IETF Logo Mail Archive

Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-01.txt

"Livingood, Jason" <Jason_Livingood@comcast.com> Wed, 10 July 2019 01:10 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C7C51200C4 for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 18:10:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_3FHrjfL0qv for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 18:10:31 -0700 (PDT)
Received: from copdcmhout02.cable.comcast.com (copdcmhout02.cable.comcast.com [96.114.158.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 770C8120048 for <dns-privacy@ietf.org>; Tue, 9 Jul 2019 18:10:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1562721029; x=2426634629; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=VufJrpE8qkjYoEazbKlJ8rU9Ek9fcDtxg7F7zXCsbRQ=; b=Hu8gGq3shBxbQqI2jcH+8rykrG/Sxl/PZ8HpjzymhvgUF5wbZgVmbJsmirccj1qx igfz42Mp7SUJpOyJZM5qeJw9UUiP8w3YUJIpqVQtFPnPwndTTG8HPdFR2ixRdLfj lMHz8lQ6isY5kNiO7LZfACFPI9ue7U3w11oO+qZYMTpUveLA23eYoFo1bQ9xPSlC 9pqcFflrus1OpytrlBfKS8aw4qYcOfIXBAd9CPHTEzbH7kF/MiOidjnqXEt4/DvB 8TU6JiNoohpZl4bYVF839MKNNiBDiFBADp5kqlZiGgXxA+1RywUAMLYmU1CY2WB3 b1ds8mmudtDkDzg402M4rw==;
X-AuditID: 60729ed4-f05ff7000000add3-d6-5d253b05890d
Received: from COPDCEXC37.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by copdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id BD.9C.44499.50B352D5; Tue, 9 Jul 2019 19:10:29 -0600 (MDT)
Received: from COPDCEXC37.cable.comcast.com (147.191.125.136) by COPDCEXC37.cable.comcast.com (147.191.125.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Tue, 9 Jul 2019 21:10:28 -0400
Received: from COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94]) by COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94%15]) with mapi id 15.01.1713.006; Tue, 9 Jul 2019 21:10:28 -0400
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: Alessandro Ghedini <alessandro@ghedini.me>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-01.txt
Thread-Index: AQHVNBrhLpBp5bqhoUabwJgpanZd5qbDEE8A
Date: Wed, 10 Jul 2019 01:10:28 +0000
Message-ID: <73435C5A-3819-4ED3-AC70-CF48AAF5CBA7@cable.comcast.com>
References: <156242998138.15238.11931955927978549044.idtracker@ietfa.amsl.com> <20190706164823.GA29462@pinky.flat11.house>
In-Reply-To: <20190706164823.GA29462@pinky.flat11.house>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
x-originating-ip: [68.87.29.8]
Content-Type: text/plain; charset="utf-8"
Content-ID: <88A590F93AE62143B82EC85EACBE2CA6@comcast.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDKsWRmVeSWpSXmKPExsWSUDRnsi6rtWqswZImM4utp2+yWGxo3cHq wOSx9uc3do8lS34yBTBFNTDalGQUpSaWuKSmpeYVp9pxKWAAm6TUtPyiVNfEopzKoNSc1ETs ykAqU1JzMstSi/SxGqOP1ZyELqaMlcv3sxXMka142nufrYFxj0wXIyeHhICJxOyPd9lBbCGB I0wSu/pYuxi5gOxmJolpDY+YIZxTjBK/vm9gBaliEzCTuLvwCjOILSIQLzF10zswW1ggVWL6 u0esEPE0iSlNV5kgbCOJCZMPgtWwCKhK/H94HSzOK+Aise78UhaIzTUS6xY9BqvhFLCQmDJn AdhFjAJiEt9PrQGrZxYQl7j1ZD4TxNUCEkv2nGeGsEUlXj7+B7ZXVEBf4vC5B4wQcTmJnh2t QDYHUK+mxPpd+hBjrCQOTXnODGErSkzpfsgOcY6gxMmZT1ggWsUlDh/ZwTqBUWIWks2zECbN QjJpFpJJs5BMWsDIuoqRz9JMz9DQRM/Q1ELPyNBoEyM4zcy7soPx8nSPQ4wCHIxKPLyfVFRj hVgTy4orcw8xSnAwK4nw7nNXjhXiTUmsrEotyo8vKs1JLT7EKM3BoiTOa3dNJVZIID2xJDU7 NbUgtQgmy8TBKdXA6OdUfqb+tssZvkibmXf4lvx+0W9ovIZL8x4Da3tphr3Ki3OZS4tuaz/e 3i4QmX9+98zECf9s3re1x8k/KHvSYRTqJqvBK3tR1ODo7K5AFg5P9U+CqhqJcqozJr+Vn9mm /3H7WQtj4adMzbu9P+z/VnToaJjC4iLO2GUx+pd/Cb77buX+eEKsEktxRqKhFnNRcSIAfrF9 Qy8DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/LV6whkzJyi3jnR3RHTXQdVanaN8>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 01:10:33 -0000

Just read it - very interesting! Is the bottom line essentially don't do DNS+TLS-1.3+0-RTT? Basically, since 1-RTT isn't a big performance problem, why take the risk of 0-RTT?

JL

On 7/6/19, 12:50 PM, "dns-privacy on behalf of Alessandro Ghedini" <dns-privacy-bounces@ietf.org on behalf of alessandro@ghedini.me> wrote:

    Hello,
    
    On Sat, Jul 06, 2019 at 09:19:41AM -0700, internet-drafts@ietf.org wrote:
    > A new version of I-D, draft-ghedini-dprive-early-data-01.txt
    > has been successfully submitted by Alessandro Ghedini and posted to the
    > IETF repository.
    > 
    > Name:		draft-ghedini-dprive-early-data
    > Revision:	01
    > Title:		Using Early Data in DNS over TLS
    > Document date:	2019-07-06
    > Group:		Individual Submission
    > Pages:		5
    > URL:            https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-01.txt
    > Status:         https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/
    > Htmlized:       https://tools.ietf.org/html/draft-ghedini-dprive-early-data-01
    > Htmlized:       https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data
    > Diff:           https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-01
    > 
    > Abstract:
    >    This document illustrates the risks of using TLS 1.3 early data with
    >    DNS over TLS, and specifies behaviors that can be adopted by clients
    >    and servers to reduce those risks.
    
    I've been looking for information about using TLS 1.3 0-RTT with DoT, but all I
    could find was a discussion from over a year ago on the mailing list:
    https://mailarchive.ietf.org/arch/msg/dns-privacy/LKZeOAj7Y4fC-9hRcbX_4KVWu0Y
    
    So I wrote this document to try and document potential risks as well as capture
    requirements for DoT implementations deciding to add support for 0-RTT (RFC8446
    in Appendix E.5 says that "Application protocols MUST NOT use 0-RTT data without
    a profile that defines its use).
    
    Most of the wording comes from RFC8470 and some content from the mailing list
    discussion mentioned above, though there are still some things that need to be
    filled in or expanded.
    
    In this new revision I expanded some of the sections as well as included some
    editorial fixes.
    
    The draft is maintained on GitHub at:
    https://github.com/ghedo/draft-ghedini-dprive-early-data
    
    Would be interested to know what people think about this.
    
    Cheers
    
    _______________________________________________
    dns-privacy mailing list
    dns-privacy@ietf.org
    https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email