Re: [dns-privacy] I-D Action: draft-ietf-dprive-early-data-00.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 22 April 2020 16:29 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574483A0FAC for <dns-privacy@ietfa.amsl.com>; Wed, 22 Apr 2020 09:29:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NCMFDzfYlOBa for <dns-privacy@ietfa.amsl.com>; Wed, 22 Apr 2020 09:29:45 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CCD13A0FAB for <dns-privacy@ietf.org>; Wed, 22 Apr 2020 09:29:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 43E2B219CF for <dns-privacy@ietf.org>; Wed, 22 Apr 2020 19:29:43 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id UZ6xwks7KcbU for <dns-privacy@ietf.org>; Wed, 22 Apr 2020 19:29:42 +0300 (EEST)
Received: from LK-Perkele-VII (87-100-246-37.bb.dnainternet.fi [87.100.246.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id CB232368 for <dns-privacy@ietf.org>; Wed, 22 Apr 2020 19:29:41 +0300 (EEST)
Date: Wed, 22 Apr 2020 19:29:41 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: dns-privacy@ietf.org
Message-ID: <20200422162941.GA3717822@LK-Perkele-VII>
References: <158756289950.27739.8333642302898544857@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <158756289950.27739.8333642302898544857@ietfa.amsl.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/aXALsGxCWbdGTPpgXF9G7GO9u9Y>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-early-data-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 16:29:47 -0000
On Wed, Apr 22, 2020 at 06:41:39AM -0700, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the DNS PRIVate Exchange WG of the IETF. > > Title : Using Early Data in DNS over TLS > Author : Alessandro Ghedini > Filename : draft-ietf-dprive-early-data-00.txt > Pages : 6 > Date : 2020-04-22 That RRTYPE whitelist looks quite questionable. Any Data RRTYPE (numbers 1-127 and 256-61439) needs to be safe as QTYPE, or there are major problems already (since servers MUST answer all of them). Meta RRTYPEs (numbers 128-255) might be unsafe (and servers are allowed to reject such queries already). Then there is the unassigned, private use and reserved stuff (numbers 0, 61440-65535) and who knows what is there. Unfortunately there is the special snowflake that is OPT (number 41). Despite being in DATA RRTYPE range, it is special (usually not even used as QTYPE). Now, the base structure absolutely has to be allowed in 0-RTT. The problem with it is that it can carry its own extensions. I have no idea of what most of those even do, and there are probably at least some that are unsafe in 0-RTT, and at least some that are actually useful in 0-RTT. (As sidenote, I discovered that Unbound does not like OPT as QTYPE and answers with FORMERR, but there are servers out there that answer OPT queries like any other datatype they have no records for). -Ilari
- [dns-privacy] I-D Action: draft-ietf-dprive-early… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-e… Bob Harold
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-e… Ilari Liusvaara