IETF Logo Mail Archive

Re: [dns-privacy] [EXTERNAL] Re: New Version Notification for draft-ghedini-dprive-early-data-01.txt

"Livingood, Jason" <Jason_Livingood@comcast.com> Wed, 10 July 2019 11:22 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B134E1200D8 for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jul 2019 04:22:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vf2Bg9I-eyis for <dns-privacy@ietfa.amsl.com>; Wed, 10 Jul 2019 04:22:03 -0700 (PDT)
Received: from copdcmhout02.cable.comcast.com (copdcmhout02.cable.comcast.com [96.114.158.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6571A120240 for <dns-privacy@ietf.org>; Wed, 10 Jul 2019 04:22:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1562757719; x=2426671319; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=p2x1N/gZoWZhXBFTAEsxPK4auOVmhMPR2n6/YNlSBVM=; b=2BHgt00s0Ec/fOjDKRUJ54cd9zhmGg7/UOxZro/WvJCVM342sFIM4jLivpqFkU/S CWmLH96VbI7YhnyhFwYIUazu3v/78ORcMX6pRXe3KRIQBoK2TG33vM4wEAGVwodT 2iAeDIFTE5zf7Oh6jpnLYG8FZEaWjOiNkKhnzGg5lcisscKbag4XFlUQGlGkpxMh T8RVNQASfYdk1JQo7bYQuBv/O1upeFH9OYGFcqJm3hwGzqiAcYD4qPn8pt+aQzeN IZAzfLZqmmKdPl0eS1hBMT9x4qYu7pg+etETFhS/WWF6zaMSFUVg7Z5xcnLoKdWV kBBUpV9/Nm3IG7a67M+lIg==;
X-AuditID: 60729ed4-f1dff7000000add3-8d-5d25ca5739c3
Received: from COPDCEXC35.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by copdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id DC.FD.44499.75AC52D5; Wed, 10 Jul 2019 05:21:59 -0600 (MDT)
Received: from COPDCEXC37.cable.comcast.com (147.191.125.136) by COPDCEXC35.cable.comcast.com (147.191.125.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Wed, 10 Jul 2019 07:21:58 -0400
Received: from COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94]) by COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94%15]) with mapi id 15.01.1713.006; Wed, 10 Jul 2019 07:21:58 -0400
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: Tom Pusateri <pusateri@bangj.com>
CC: Alessandro Ghedini <alessandro@ghedini.me>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [EXTERNAL] Re: [dns-privacy] New Version Notification for draft-ghedini-dprive-early-data-01.txt
Thread-Index: AQHVNsVclcsflURjmEqCGlBGbcSKAqbDtdQA
Date: Wed, 10 Jul 2019 11:21:58 +0000
Message-ID: <866D75CB-28B5-4238-81B3-3D43CCF96E66@cable.comcast.com>
References: <156242998138.15238.11931955927978549044.idtracker@ietfa.amsl.com> <20190706164823.GA29462@pinky.flat11.house> <73435C5A-3819-4ED3-AC70-CF48AAF5CBA7@cable.comcast.com> <FA7E5FBD-5286-4BBD-A608-E1D6A6F9D14F@bangj.com>
In-Reply-To: <FA7E5FBD-5286-4BBD-A608-E1D6A6F9D14F@bangj.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
x-originating-ip: [68.87.29.11]
Content-Type: text/plain; charset="utf-8"
Content-ID: <666BE62E489CA84A8CA1FCE3DC893578@comcast.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPKsWRmVeSWpSXmKPExsWSUDRnsm74KdVYg65pahZbT99ksdjQuoPV ovlLkAOzx9oZp9k81v78xu6xZMlPpgDmqAZGm5KMotTEEpfUtNS84lQ7LgUMYJOUmpZflOqa WJRTGZSak5qIXRlIZUpqTmZZapE+VmP0sZqT0MWU0d2+j6ngjHbF3N1fGRsY92h1MXJySAiY SEzcd4iti5GLQ0jgCJNE/9IWdpCEkEALk0Rbey5E4jSjxMd/q8ASbAJmEncXXmEGsUUEVCUe rNsGFmcWiJf4+Gw5C4gtLJAv0XmjCcjmAKopkGhckgdRbiSxt+8vG4jNAtQ6694JRhCbV8BF 4ubfTVBHvGKU2D5rKhNIL6eArcSUR4EgNYwCYhLfT61hglglLnHryXwmiAcEJJbsOc8MYYtK vHz8jxXEFhXQlzh87gEjyBgJAXmJj3PBJjILaEqs36UPMcVK4uD3s4wQtqLElO6H7BDXCEqc nPmEBWKiuMThIztYJzBKzkKyeBbCpFlIJs1CMmkWkkkLGFlXMfJZmukZGproGZpa6BkZGm1i BCejeVd2MF6e7nGIUYCDUYmHN2+baqwQa2JZcWXuIUYJDmYlEd597sqxQrwpiZVVqUX58UWl OanFhxilOViUxHntrqnECgmkJ5akZqemFqQWwWSZODilGhi5W5q211vIpl5j65gSfu6y98ep U9O/5y/ZwPSAd+4J3jSvB3qSIT+vMXI2vrNaNuHMueJ3wqUZTUUib2wivj8OTReQkHDZISdy YM/f6s/ttgvmipW+bq4IfWP+8gTXGVfBxGqJ9ITydTtXXbGcqlTfvb3PXf/TL98LoWd0F59P uWbJZZ36pEmJpTgj0VCLuag4EQDjklH9QgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/mnACZ7I5WUkfWO8czEZPvj8N52Y>
Subject: Re: [dns-privacy] [EXTERNAL] Re: New Version Notification for draft-ghedini-dprive-early-data-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 11:22:07 -0000

I also read the thread at https://mailarchive.ietf.org/arch/msg/dns-privacy/p0SpGpLBAXZYJhgS3zXWwHBBlw0 and found it interesting background.

On 7/9/19, 10:15 PM, "Tom Pusateri" <pusateri@bangj.com> wrote:

    This is relevant to the Push Notification draft we’re trying to wrap up.
    
    In the last paragraph of section 4, it says:
       Not all types of DNS queries are safe to be sent as early data.
       Clients MUST NOT use early data to send DNS Updates ([RFC2136]) or
       Zone Transfers ([RFC5936]) messages.  Servers receiving any of those
       messages MUST reply with a "FormErr" response code.
    
    There isn’t a reason or reference for this claim of not being safe. Can the authors expand on this?
    
    Thanks,
    Tom
    
    
    > On Jul 9, 2019, at 9:10 PM, Livingood, Jason <Jason_Livingood@comcast.com> wrote:
    > 
    > Just read it - very interesting! Is the bottom line essentially don't do DNS+TLS-1.3+0-RTT? Basically, since 1-RTT isn't a big performance problem, why take the risk of 0-RTT?
    > 
    > JL
    > 
    > On 7/6/19, 12:50 PM, "dns-privacy on behalf of Alessandro Ghedini" <dns-privacy-bounces@ietf.org on behalf of alessandro@ghedini.me> wrote:
    > 
    >    Hello,
    > 
    >    On Sat, Jul 06, 2019 at 09:19:41AM -0700, internet-drafts@ietf.org wrote:
    >> A new version of I-D, draft-ghedini-dprive-early-data-01.txt
    >> has been successfully submitted by Alessandro Ghedini and posted to the
    >> IETF repository.
    >> 
    >> Name:		draft-ghedini-dprive-early-data
    >> Revision:	01
    >> Title:		Using Early Data in DNS over TLS
    >> Document date:	2019-07-06
    >> Group:		Individual Submission
    >> Pages:		5
    >> URL:            https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-01.txt
    >> Status:         https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/
    >> Htmlized:       https://tools.ietf.org/html/draft-ghedini-dprive-early-data-01
    >> Htmlized:       https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data
    >> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-01
    >> 
    >> Abstract:
    >>   This document illustrates the risks of using TLS 1.3 early data with
    >>   DNS over TLS, and specifies behaviors that can be adopted by clients
    >>   and servers to reduce those risks.
    > 
    >    I've been looking for information about using TLS 1.3 0-RTT with DoT, but all I
    >    could find was a discussion from over a year ago on the mailing list:
    >    https://mailarchive.ietf.org/arch/msg/dns-privacy/LKZeOAj7Y4fC-9hRcbX_4KVWu0Y
    > 
    >    So I wrote this document to try and document potential risks as well as capture
    >    requirements for DoT implementations deciding to add support for 0-RTT (RFC8446
    >    in Appendix E.5 says that "Application protocols MUST NOT use 0-RTT data without
    >    a profile that defines its use).
    > 
    >    Most of the wording comes from RFC8470 and some content from the mailing list
    >    discussion mentioned above, though there are still some things that need to be
    >    filled in or expanded.
    > 
    >    In this new revision I expanded some of the sections as well as included some
    >    editorial fixes.
    > 
    >    The draft is maintained on GitHub at:
    >    https://protect2.fireeye.com/url?k=7c610da3-20850368-7c612a17-000babff3540-3079629bacc8ac33&u=https://github.com/ghedo/draft-ghedini-dprive-early-data
    > 
    >    Would be interested to know what people think about this.
    > 
    >    Cheers
    > 
    >    _______________________________________________
    >    dns-privacy mailing list
    >    dns-privacy@ietf.org
    >    https://www.ietf.org/mailman/listinfo/dns-privacy
    > 
    > 
    > _______________________________________________
    > dns-privacy mailing list
    > dns-privacy@ietf.org
    > https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email