On Tue, Feb 25, 2020, at 08:54, Stephen Farrell wrote: > If an attacker replays a 0rtt query for an A record, > and the recursive acts on the query before the handshake > is complete by sending a cleartext query upstream and > if the attacker can see that upstream query, wouldn't > that be noteworthy?
Noteworthy, yes. This amplifies an existing exposure. That is, as long as a cleartext query from the recursive could be correlated with an encrypted query to the recursive, there is a problem. This says that replays can be used - maybe - to turn one query into N. If you rely on the correlation being from a large anonymity set, this can have a serious impact on the ability of an observer to correlate queries. This might be compounded by the fact that early data might contain multiple queries that can be cross-correlated. Whether that motivates a blanket prohibition on use of early data prior to handshake completion depends greatly on other factors. If we manage to ever get encryption toward authoritative servers, and even opportunistic encryption helps considerably in this case, then this particular problem is eliminated. But I wouldn't rule out making the queries. This only applies where the query cannot be answered from cache. Of course that the potential for replay is likely closely tied to the potential for a cache miss, so we might not consider that to be relevant. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
