On Tue, Jul 09, 2019 at 08:24:28PM -0700, Dan Wing wrote: > On Jul 9, 2019, at 7:15 PM, Tom Pusateri <[email protected]> wrote: > > This is relevant to the Push Notification draft we’re trying to wrap up. > > > > In the last paragraph of section 4, it says: > > Not all types of DNS queries are safe to be sent as early data. > > Clients MUST NOT use early data to send DNS Updates ([RFC2136]) or > > Zone Transfers ([RFC5936]) messages. Servers receiving any of those > > messages MUST reply with a "FormErr" response code. > > > > There isn’t a reason or reference for this claim of not being safe. Can the > > authors expand on this? > > Thanks for writing this up, Allesandro. > > Tom, both of those DNS messages are not queries -- they change the state of > the server. The concern is replay attacks, I expect. Text should be updated > to be clear on why, for sure.
Fair enough, created https://github.com/ghedo/draft-ghedini-dprive-early-data/issues/3 to track this. > Slightly later the text suggests a whitelist vs blacklist. I think this > needs to be in an IANA registry indicating which DNS messagese are allowed > for early data. Implementation guidance should encourage a whitelist on the > server, IMHO. I wonder though if a whole new registry is overkill, and we could maybe just add a column to the existing RR types registry? In any case I created https://github.com/ghedo/draft-ghedini-dprive-early-data/issues/2 to track this. Cheers _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
