Re: [dns-privacy] I-D Action: draft-ietf-dprive-early-data-00.txt
On Wed, Apr 22, 2020 at 06:41:39AM -0700, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the DNS PRIVate Exchange WG of the IETF. > > Title : Using Early Data in DNS over TLS > Author : Alessandro Ghedini > Filename: draft-ietf-dprive-early-data-00.txt > Pages : 6 > Date: 2020-04-22 That RRTYPE whitelist looks quite questionable. Any Data RRTYPE (numbers 1-127 and 256-61439) needs to be safe as QTYPE, or there are major problems already (since servers MUST answer all of them). Meta RRTYPEs (numbers 128-255) might be unsafe (and servers are allowed to reject such queries already). Then there is the unassigned, private use and reserved stuff (numbers 0, 61440-65535) and who knows what is there. Unfortunately there is the special snowflake that is OPT (number 41). Despite being in DATA RRTYPE range, it is special (usually not even used as QTYPE). Now, the base structure absolutely has to be allowed in 0-RTT. The problem with it is that it can carry its own extensions. I have no idea of what most of those even do, and there are probably at least some that are unsafe in 0-RTT, and at least some that are actually useful in 0-RTT. (As sidenote, I discovered that Unbound does not like OPT as QTYPE and answers with FORMERR, but there are servers out there that answer OPT queries like any other datatype they have no records for). -Ilari ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
Re: [dns-privacy] I-D Action: draft-ietf-dprive-early-data-00.txt
On Wed, Apr 22, 2020 at 9:41 AM wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the DNS PRIVate Exchange WG of the IETF. > > Title : Using Early Data in DNS over TLS > Author : Alessandro Ghedini > Filename: draft-ietf-dprive-early-data-00.txt > Pages : 6 > Date: 2020-04-22 > > Abstract: >This document illustrates the risks of using TLS 1.3 early data with >DNS over TLS, and specifies behaviors that can be adopted by clients >and servers to reduce those risks. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dprive-early-data/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dprive-early-data-00 > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-early-data-00 > > Looks good to me, one nit: 1. Introduction "tecniques" -> "techniques" -- Bob Harold ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
[dns-privacy] I-D Action: draft-ietf-dprive-early-data-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DNS PRIVate Exchange WG of the IETF. Title : Using Early Data in DNS over TLS Author : Alessandro Ghedini Filename: draft-ietf-dprive-early-data-00.txt Pages : 6 Date: 2020-04-22 Abstract: This document illustrates the risks of using TLS 1.3 early data with DNS over TLS, and specifies behaviors that can be adopted by clients and servers to reduce those risks. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dprive-early-data/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dprive-early-data-00 https://datatracker.ietf.org/doc/html/draft-ietf-dprive-early-data-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy