Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-02.txt
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 25 February 2020 15:54 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 387653A0F2F for <dns-privacy@ietfa.amsl.com>; Tue, 25 Feb 2020 07:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsOmKrKqHZx9 for <dns-privacy@ietfa.amsl.com>; Tue, 25 Feb 2020 07:54:39 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 100913A0CE1 for <dns-privacy@ietf.org>; Tue, 25 Feb 2020 07:54:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id CB05DBE4D; Tue, 25 Feb 2020 15:54:36 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ocx4j1kF1F5U; Tue, 25 Feb 2020 15:54:36 +0000 (GMT)
Received: from [134.226.36.93] (unknown [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 86075BE3E; Tue, 25 Feb 2020 15:54:36 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1582646076; bh=4G7R1sNlmW42f5EEmRC7Jw5iSLiIAJsM148koPQ3Tmk=; h=To:References:From:Subject:Date:In-Reply-To:From; b=1uPNvnZSwqZkw8X77CtExLSD/aQjNtJgcNrkh+slcznheP6A1rro61CY8e0RNaBJ1 mYd9J4CXNAYxW+9X+S8gsvjLJ7Qsk2ZlHOqHWsKbKAoR49STKTDeUMIn7fuyDc2k8Z sxeP49rPckDn2vq1pmWi1jRMRPyDxXC+Qknvj4rI=
To: Alessandro Ghedini <alessandro@ghedini.me>, dns-privacy@ietf.org
References: <158264066052.15564.14264935853918182437.idtracker@ietfa.amsl.com> <20200225151359.GA57690@wakko.flat11.house>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <ef8e3693-79cc-0812-ad74-ed4a19c7ff50@cs.tcd.ie>
Date: Tue, 25 Feb 2020 15:54:35 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <20200225151359.GA57690@wakko.flat11.house>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="XplNa6JuP3RvWsML8h1HEfuwlEovWLyIB"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/aphW5gp1F0kALfKL_2m4f7kZ5fA>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-02.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 15:54:41 -0000
Hiya, I may well be just forgetting things, (in which case, apologies), but is there something missing... If an attacker replays a 0rtt query for an A record, and the recursive acts on the query before the handshake is complete by sending a cleartext query upstream and if the attacker can see that upstream query, wouldn't that be noteworthy? If so, perhaps your draft ought not say that "a server ...MAY...delay the processing" but instead say something stronger? E.g., perhaps that the query from early_data MUST NOT be visibly-processed/forwarded until the h/s has successfully completed? Cheers, S. On 25/02/2020 15:13, Alessandro Ghedini wrote: > On Tue, Feb 25, 2020 at 06:24:20AM -0800, internet-drafts@ietf.org wrote: >> >> >> A new version of I-D, draft-ghedini-dprive-early-data-02.txt >> has been successfully submitted by Alessandro Ghedini and posted to the >> IETF repository. >> >> Name: draft-ghedini-dprive-early-data >> Revision: 02 >> Title: Using Early Data in DNS over TLS >> Document date: 2020-02-25 >> Group: Individual Submission >> Pages: 6 >> URL: https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-02.txt >> Status: https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/ >> Htmlized: https://tools.ietf.org/html/draft-ghedini-dprive-early-data-02 >> Htmlized: https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data >> Diff: https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-02 >> >> Abstract: >> This document illustrates the risks of using TLS 1.3 early data with >> DNS over TLS, and specifies behaviors that can be adopted by clients >> and servers to reduce those risks. > > Long overdue update to the Early Data for DoT draft (sorry for the delay). This > incorporates changes suggested from past discussions and reviews. > > Notably: > > * Clarified why some DNS messages are not allowed in early data. All DNS > > * Messages that don't use the Query opcode are now explicitly forbidden > from being sent over early data. > > * Defined a registry of RR types that can be sent over early data. This is > likely to be incomplete right now. New entries can be easily added later, but > for now I'd like some feedback on whether this is the right direction before > going further. > > As per the above changelog, the new draft strictly limits DNS messages allowed > in early data to ones that use the Query opcode AND RR types that are explcitly > listed in the new registry. But after doing that work, I'm now wondering if > allowing only query messages is actually enough, without the need to define the > RR types registry. Any thoughts? I don't really know what most of the RR types > currently defined do, so I might be missing something. > > Also worth noting that the general wording and structure of the draft might need > some improvements (as Martin pointed out in his review some text could probably > be replaced by references to RFC 8446 and 8470) but after spending some time on > this I couldn't come up with much, so for now I'd like to get some feedback on > the changes and discussion point mentioned above. > > CHeers > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Fwd: New Version Notification for d… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Stephen Farrell
- Re: [dns-privacy] Fwd: New Version Notification f… Martin Thomson