IETF Logo Mail Archive

[dns-privacy] ODoH RFC SetupBaseS clarification

Ravi sankar MANTHA <r.mantha@f5.com> Wed, 10 August 2022 09:10 UTC

Return-Path: <prvs=2148de39d=r.mantha@f5.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFC9C15C50E for <dns-privacy@ietfa.amsl.com>; Wed, 10 Aug 2022 02:10:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.687
X-Spam-Level:
X-Spam-Status: No, score=-2.687 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=f5.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QThpOKgwZixl for <dns-privacy@ietfa.amsl.com>; Wed, 10 Aug 2022 02:10:12 -0700 (PDT)
Received: from mail13.f5.com (mail13.f5.com [104.219.104.14]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD37AC14F73F for <dns-privacy@ietf.org>; Wed, 10 Aug 2022 02:10:11 -0700 (PDT)
Authentication-Results: eopmail13.f5.com; dkim=pass (signature verified) header.i=@f5.com
IronPort-SDR: CdsviR7w2ohT+sWkQn+Zs5pHFNwVCtSllSWQvXUO/CLKXHtQULF4Sz/FykDO48BIs7x59GFoYK PEUXLb9/CSHRWo4NmnUUzKQ2nN1RnKR0ArPMgYk0stiQjPDlWbauEF647NUubixy+KkayYmTIK if0NqqYNAeV4IOZk1I8iR9AUlxyHRndTj1jAsYTpiM/X/vew+t989YMTCd5Nm+SNls+/XZY0LD vz17Q+B1MQXtmjjH6d02WQ2IvtB+ivW654YlqnRvjTfl39noFQU+PraB67u1uvVfV0En0dsmPk BMc=
IronPort-Data: A9a23:/rhKt6M79pzXdzXvrR31lsFynXyQoLVcMsEvi/4bfWQNrUok0mcDx zMdUT+Ea/7YMzejKt1+bty18xxX7J7UmN5qGVdlrnsFo1CmCybmLY/AchqvZXP6wunrFh8PA +M2NIWYdKjYaVeF/kv2btANlZTwvE2xbuKU5NTsY0idfic5DnZ64f5fs7Rh2NQw0YHhW1rlV e7a+KUzBnf0glaYDUpEs8pvmDs31BjDkGtwUm4WPJinj3eC/5UhN6/zEInqR5fOatINQrPlH barIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbrGve0UPPqgH2Po0MS+7ih2vtvUok pBoisb1Tg0keKrRhO4aTh9UVTlkOrFL86PGJn75ttGPy0rBcD3nxPAG4EMeZNVEvLooRz8Qs 6BJQNwORknra+ae2vS+Q+9whs0LIpStN4Qa0p1l5WuBXKl7Hc2dGc0m4vcDhWxr3pkUdRrEX OIVbyEqdA7BfRREK38WBY4w2uCyiRHCn5dwvArA/uxq9zGGlEopxOK4aJyOJofVUZ4AxgDFs j2T1nrdKRQ8H8C55Tqh03uKvO/rpzjdYpw2KKWeyuRMvly20jVLXUVSDU/TTeKRj0e/X5daN BYS8y9396wqrhT3H5/6QgGyp2OCslgEQd1MHuYm6QaLjK3J/wKeAWtCRTlEAOHKffQeHFQC/ lHU2djuAFRSXHe9FxpxKp/8QeuOBBUo
IronPort-HdrOrdr: A9a23:7DAysK9NGSiQEX27h0xuk+Fsdb1zdoMgy1knxilNoENuGPBwxv rEoB1E73fJYW4qKQgdcKO7SdG9qBLnhNZICOwqUItKMzOW3VdAQLsN0WKm+UyHJ8SczJ8X6U 4DSdkbNDSYNzEX4voSojPIdOrIq+PmzEncv5a9854bd3AIV0gP1WZEIzfeNnczaBhNBJI/Gp bZzNFAvSCcdXMeadn+LmUZXsDYzue72a7OUFojPVoK+QOOhTSn5PrRCB6DxCoTVDtJ3PML7X XFqQrk/a+u2svLhiM0llWjoKi+quGRi+erN/b8yvT97Q+cyTpAUb4RFYFqegpF4t1Hpmxa1e Uk6C1QRPibo0mhBF1d5yGdkTUImQxelkPK2BuWh2Durtf+Qy9/A81dhZhBeh+c8EY4uspguZ g7qF5xmqAneC8oph6Nk+TgRlVvjA65sHAimekcgzhWVpYfcqZYqcga8FlOGJkNESrm4MR/ed MeRf309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw8TxdAZnH0H6JUhIqM0kd jsI+BtjvVDX8UWZaVyCKMIRta2EHXERVbWPGebMT3cZdM60rL22u3KCZkOlZ6XkcYzvecPcb z6IS1lnH93fV7yAsuT25AO+gzRQQyGLETQ49Ab+pR/srrgLYCbQBG+dA==
X-IronPort-AV: E=McAfee;i="6400,9594,10434"; a="209754562"
X-IronPort-AV: E=Sophos;i="5.93,226,1654585200"; d="scan'";a="209754562"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eLIl5AKBqH3N5IhSZKFdokOA86NLQzNA0Is9JGcBzkLukr2X7vOkWsSUvzTuwCxBwFpscTQFmous4vo2/sHIBXqucJ3UFvwS5bdB4yxKLr7jphsuO/NRObe1C/Ce3FfJsVwqrYi1DtNETrBXioyQviXIl1TUQQDOH8aHCVMTZBami1whnT7SiffX2MsKsQnyTTA8KoN4xw43EaD+fjNz6ZquQdZ4DCrERC8anfmC2GA8Lk2TW+dmbQh8975tB9xbSr5pS+X4Su2NOMx0fcy0sMR+PvQEYVMVdJmwEEJYe6uH3Vhs5Dt/FSFkRx7FZVDyY72g4/3KMKhwOuj7HtbbXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VcHwvYba/KN9a8DG8FaaiLvsoUrnF0VNpRMPkgUnFUU=; b=oZbfvVhXaYtasqXOZdGqDtgQgtkgUlC9rKaFmG8uaFRnpSkQBSwgLzUAWyZIEa36cAI1VdCNeJljX0/2VV9O5hwLR5LUXQnRLSLhi818pFvnkXPW783UIOD6DZi4GA25vrFZNNgCltMQ0vqUU2KD0fqkBxacNlXwLHyexO+fHs29tKorv8JICNEkzK190kIaJGbHlqK1rQ0hpbdY6fTFWKZjK/Y0wEjvx8dzS+Sv7L/zdF698oElkbYCb5TpKpeWfmPjfL+UXHJ1vhO6PdiGsTxeTE4qIV2fT5KEGbaSOXvxOVVazHrLXuvTOtz8jXG0GJGy2Q2t+oCcujhOXlxC0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=f5.com; dmarc=pass action=none header.from=f5.com; dkim=pass header.d=f5.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f5.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VcHwvYba/KN9a8DG8FaaiLvsoUrnF0VNpRMPkgUnFUU=; b=H/1N/h55CJDNSdLSdgugAbTDEEPfF7oC6CbC/4PziC3ZOgIKjmpFNnOC4wUE9cIhqoz2NKY9OMRnE7Ajl2V3Pl9FuaSnaB1wBoL6V7NVnvRpkcwNKP0pB+Kf0JSZjHUBiLCmjCUZfQ+6N6I6KCD0UEXonVzXrafl+4cjapF7f5Q=
Received: from BL0PR01MB4387.prod.exchangelabs.com (2603:10b6:208:8b::16) by BL0PR01MB5185.prod.exchangelabs.com (2603:10b6:208:65::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.19; Wed, 10 Aug 2022 09:09:43 +0000
Received: from BL0PR01MB4387.prod.exchangelabs.com ([fe80::3180:e5a2:772f:fc1a]) by BL0PR01MB4387.prod.exchangelabs.com ([fe80::3180:e5a2:772f:fc1a%2]) with mapi id 15.20.5525.010; Wed, 10 Aug 2022 09:09:43 +0000
From: Ravi sankar MANTHA <r.mantha@f5.com>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: ODoH RFC SetupBaseS clarification
Thread-Index: AQHYrJKf3wHdYhbZzkq4IsF2+xArWq2n2Kag
Date: Wed, 10 Aug 2022 09:09:42 +0000
Message-ID: <BL0PR01MB4387AFD8D7C2895F2392433EA5659@BL0PR01MB4387.prod.exchangelabs.com>
References: <BL0PR01MB438718D20FCC518DFEDA5BF1A5659@BL0PR01MB4387.prod.exchangelabs.com>
In-Reply-To: <BL0PR01MB438718D20FCC518DFEDA5BF1A5659@BL0PR01MB4387.prod.exchangelabs.com>
Accept-Language: en-GB, en-US
Content-Language: en-IN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 11146a0a-e9ee-4643-caa8-08da7ab0100e
x-ms-traffictypediagnostic: BL0PR01MB5185:EE_
x-outbound-auth: 1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bsOb96DwlkT2KVqeygHtMKaFqayX6LYEagpcy31loh5DezXQzZYk6HRzEP0ER69uDrct99VmPxqsnGLTM0BZTwE/cqvRUsHGbSvzrUUdnZURGhdMlaQfqFa+YoPF2jEzWFZie9yojepS/DFIQD5eJkt9cf4TtTVynOtjdkdoJ7L1k4yeh6ZIcT8Emowwd3Y5vsH93CkKeYPRN45dzzVkofPfMFjXojEvtrQKaewH53BOmD87GFoyg/x00w9E6uaTggLntnHpvO0zQ3uto5s4Co0vjA+FMmImyh0mrJgASIjdmWGsCizrnMdcfgFBovpdZxGkwoupv+x/qugNF2iHuC8c95xY4KLwEE1GTVqha3mWfXKZz8r/WhzDfoxZudOHH/IiBP6fldl1n0M3ukmr+IKAxq2I6bqIVwwLmAUaZsQOc4VzfNXJSHDvyEsCztc2fZiiE7e6wl0o2q1XyW8dYyauUENf0BuGcv1QguhUwm+Aqu69hk9XmNHDUlHJY1W1NEq3HsnOgfTkBZAmwRtoXzcwujfgp/CmKaAgDaDLQzei/PyGIDgFbIKEXOIIkbHZKIw02Qd7BMNk74472PJEh7VgioKHBfgn35Z2HHCcQg1XQQQYL/Pp5v38Vf1KQRpmauDIA0s3ZO1HDZBBCOcM8okYkQAjfwuEHPWxl7ek9SRbcscK5y6UP6QTnIteS7Z4y9Fin09cYl2OQBO8Rh5Ecc2iGuVuqWYg/pluasD5XveWw4tM/29sf/iepPy3AExGtbp+LxG+S/4hcdR7mTOQFf7wit0+YzweoMlkLpUxYTXyFnZ3oNAb88qaH/PYXdCQxWqZieNJU0L661cGF7oarw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR01MB4387.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(376002)(39860400002)(136003)(396003)(346002)(38070700005)(122000001)(86362001)(3480700007)(66476007)(66556008)(38100700002)(91956017)(64756008)(76116006)(66446008)(6916009)(8676002)(166002)(66946007)(316002)(2906002)(52536014)(5660300002)(8936002)(9326002)(9686003)(186003)(55236004)(2940100002)(83380400001)(478600001)(55016003)(6506007)(4743002)(26005)(7696005)(71200400001)(33656002)(41300700001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kvW7R6TT9Otp95l+FgMaAjwEgVljP/j7ZNPGiI76zR5kGzsmLMXSNKTipfh+iaeVRM6u7GQcBdD+iZsazfXPPR1GqvV6Oldaa3up1OAF5tzeYAHOyRaTJnf6H8X+FnVlPRQSX3ETxc6xOQipiKM2/nNC2D06298h75Ee7ZwZPY/Nfr5Wopz8xt3TA+HzNIvf44ilFyik0A89dgp7AspjOpwEfOTH+f1poX/HDvJMKc4+16IvkpyrjkPDx5bN0zNpVk4j9cLIJ/UuWl9/90wlxcai3fz8FJiFDfcGVL39o95YuDJiBk8jcYYMaZiQMtKUpKNgzijidVIC5b1/8oMkPRDRE5ljMg1CAQ/b7wwhH5pB3zBlDx6dzeth/6VefDX5vWpzTdNpy7j98OYMRTPORvyM/Lca8n+GdCW6TDkViUyPUpeHfGq7fUDG4BndbgfsJLmaWx6M06/h/zYGt0ONRnHcmqJedhjLwh/aklekF7E3QgcBX7yhDLkmp4s4tfR4jTMGMORZd8z8sZD4ngHyYGGIL4yNedtW6Elv7v9NA/n7SdSJL0R9U72jdQU/wYlRh8PdfKkGdjs92vpy66Vqxs9GVImiuik6kefCpauLP6HmQnyPHGmPqFPsdfH2hY1vOuuH0ho1901Q/bd5e6V8sbdzlP2SQZ0n1y2JLxNW4F58xtPqdrqwEpKf8Hv67q5Eb8vH16j4Guce9AdWW9xyfzTc4Z07u/ZBEiuYpOUtIDTPMNTkcHBjY1UScAnoUm5uJSdawfgHaEpVNTQM1O+puPEqQR0Pkhgb9TSKp9B8jmOzWavVGrFo4Q/chOnRWZdhOS5x3NJ96/ozi41KoUNyw4tsNmCMsDInQ3CDIfvuSGztyDwTNqAWmdGnbqY6EbmRZdW740QuQ8S6jLx3HdSKwRvkXmAF46hqhYCL049aXRqFMtyM6lBCbgkaHlkWjh3/6jRbfz1uocH9L6agw2fgnhVT24+hDYt+bXWpoBvyU+HIrV2fbx0JzctvMCaf2XSSzT6CaC7RhpPCNxDiaW+ICEQ64pXIhWQWW1iyMVZOeOtTlYnZpbc1IRHmq4e6abUwuiLoVeMtZk1PU6Mo1Ib0TJajXTbrx35Lb7+aH4NxZEeNd3KiSlyr28X8Zl6BGNm8ebaGDo8W0qpdf2j3LJQUddDKu7G2KnMuGAxRQRcXQ1kLcHLZtSNDscy4TxdRlCwOFTNgf0S3arANsKNvCp/QpiuJrg7OIPiYT+8n2b/PGmAxncyppUFJiyuA+qGv7mGLHG/sCNkRAYOfr0Oz6amEOUDxxgOZ3KLfIEtPjsCln2NoX86Z6L5Gw62De0OzbHAtRQ+7ZvkvlTLsd2EMbTOAxr5lG21hbUMnF1dQCnfLcAH2lzPudzo8HPyzZ+cAW59qGgfeenFTb9e/3+/Q0GGQH+JFvIUUwmrWRl+AtCf41yQeDTtEXR4GIMYc+awb8BEKFzJpBXsPfxLKs3k6Cbj4ats6RnQ/DqwWpfkm8emi/2MZ3e4Af5jGhaSoqXCGFA3KJecy9FO8TiWPoHO6FULXp9SJv3Jrp2Cnu2A3YO+K3hbduFhVEUg+c54dF51mB5ks
Content-Type: multipart/alternative; boundary="_000_BL0PR01MB4387AFD8D7C2895F2392433EA5659BL0PR01MB4387prod_"
MIME-Version: 1.0
X-OriginatorOrg: f5.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR01MB4387.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 11146a0a-e9ee-4643-caa8-08da7ab0100e
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2022 09:09:42.8427 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FKH8DZYBThyTMTwIZ3p8DyG7hK84oKG7zjfN23dxxmU7BKwmln3rEEUobil4mcdd
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR01MB5185
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Ftg7jrJxWgFQDXS-26UhhyA7YPs>
Subject: [dns-privacy] ODoH RFC SetupBaseS clarification
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 09:10:16 -0000

Hi,


In Section 6.2 of RFC 9230, its mentioned that SetupBaseS takes only 2 parameters  (pkR, "odoh query")

However, reference implementations are indeed using a randomiser from client side.
enc, ctxI, err := hpke.SetupBaseS(suite, rand.Reader, pkR, []byte(ODOH_LABEL_QUERY))

(https://github.com/cloudflare/odoh-go/blob/7c6d9ff448c53e0e546f2afe915ad9608e11f7bd/odoh.go#L471)

This has an implication on target implementations,

If Targets assume the randomizer is not present in shared secret derivation, then Context is unique for Target Public Key and they may choose not to store/derive it per message per Public Key.

If random seed is present, then contexts are unique only per message (DSN Query).

So, this has an interoperability impact as Encrypt/Decrypt fails for Query Responses if wrong shared key/Context is used on Target side.

 IMHO, we might need to clarify this in RFC either by updating pseudocode for SetupBaseS or add a note that Target should derive shared secret/Context with every oblivious DNS query. Or its implicit somewhere in the RFC ?

Regards,

Ravi Mantha

v2.23.0 | Report a Bug | By Email