[dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-02.txt

Alessandro Ghedini <alessandro@ghedini.me> Tue, 25 February 2020 15:14 UTC

Return-Path: <alessandro@ghedini.me>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A52A3A0EB5 for <dns-privacy@ietfa.amsl.com>; Tue, 25 Feb 2020 07:14:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ghedini.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKW9awfOv-RM for <dns-privacy@ietfa.amsl.com>; Tue, 25 Feb 2020 07:14:05 -0800 (PST)
Received: from blastoise.ghedini.me (blastoise.ghedini.me [IPv6:2001:19f0:6c01:a56:5400:1ff:fe4a:5694]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C8A33A0EAC for <dns-privacy@ietf.org>; Tue, 25 Feb 2020 07:14:04 -0800 (PST)
Received: from localhost (unknown [IPv6:2a06:98c0:1000:8800:d970:6fba:d389:3815]) by blastoise.ghedini.me (Postfix) with ESMTPSA id 98DB7DF49F for <dns-privacy@ietf.org>; Tue, 25 Feb 2020 15:14:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ghedini.me; s=mail; t=1582643642; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bRVCmCWhmQIFTubEWXYP16xlaeXhG4oBvpuMPdDNNrk=; b=NO+3re5TRVJOMdbtWxektXcpNxhrn6Cf1oWdlEc1rMqTEodVULlj8TAzuYB+1E+KB3LQMp P1g5jt8l+jHkfP4g7NEYhLijUnmz2Mpp9s2EESjI8K9EqCr+k1qNdx44wmUCfQ79xmny5q R18AxmXlUFoJaQszeJs/qddhuu97K6E=
Date: Tue, 25 Feb 2020 15:13:59 +0000
From: Alessandro Ghedini <alessandro@ghedini.me>
To: dns-privacy@ietf.org
Message-ID: <20200225151359.GA57690@wakko.flat11.house>
References: <158264066052.15564.14264935853918182437.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <158264066052.15564.14264935853918182437.idtracker@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/QI_M5ISkz104xlYJ1qbs0plis38>
Subject: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-02.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 15:14:09 -0000

On Tue, Feb 25, 2020 at 06:24:20AM -0800, internet-drafts@ietf.org wrote:
> 
> 
> A new version of I-D, draft-ghedini-dprive-early-data-02.txt
> has been successfully submitted by Alessandro Ghedini and posted to the
> IETF repository.
> 
> Name:		draft-ghedini-dprive-early-data
> Revision:	02
> Title:		Using Early Data in DNS over TLS
> Document date:	2020-02-25
> Group:		Individual Submission
> Pages:		6
> URL:            https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-02.txt
> Status:         https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/
> Htmlized:       https://tools.ietf.org/html/draft-ghedini-dprive-early-data-02
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-02
> 
> Abstract:
>    This document illustrates the risks of using TLS 1.3 early data with
>    DNS over TLS, and specifies behaviors that can be adopted by clients
>    and servers to reduce those risks.

Long overdue update to the Early Data for DoT draft (sorry for the delay). This
incorporates changes suggested from past discussions and reviews.

Notably:

* Clarified why some DNS messages are not allowed in early data. All DNS

* Messages that don't use the Query opcode are now explicitly forbidden
  from being sent over early data.

* Defined a registry of RR types that can be sent over early data. This is
  likely to be incomplete right now. New entries can be easily added later, but
  for now I'd like some feedback on whether this is the right direction before
  going further.

As per the above changelog, the new draft strictly limits DNS messages allowed
in early data to ones that use the Query opcode AND RR types that are explcitly
listed in the new registry. But after doing that work, I'm now wondering if
allowing only query messages is actually enough, without the need to define the
RR types registry. Any thoughts? I don't really know what most of the RR types
currently defined do, so I might be missing something.

Also worth noting that the general wording and structure of the draft might need
some improvements (as Martin pointed out in his review some text could probably
be replaced by references to RFC 8446 and 8470) but after spending some time on
this I couldn't come up with much, so for now I'd like to get some feedback on
the changes and discussion point mentioned above.

CHeers