Re: [dns-privacy] Use of separate caches for plain and secure transports

[Mukund Sivaraman]

Hi Daniel

On Thu, Dec 13, 2018 at 02:32:41PM -0500, Daniel Kahn Gillmor wrote:
> The degenerate scenario i'd painted on the call was:
> 
>  * consider a DPRIVE-capable DNS resolver; for whatever reason, only a
>single request has been made to it since it booted.
> 
>  * a new cleartext (non-private) request comes in for foo.example, and
>it does the lookups it needs to do, all in the clear. (private
>queries to authoritatives would have worked, but they weren't tried
>since the initial request was in the clear anyway).
> 
>  * a subsequent private request comes in to the resolver, and the
>resolver responds without doing any upstream lookup.
> 
> in this scenario, a passive observer of the resolver's traffic can infer
> that the private query was likely also for foo.example (or at least, for
> one of the names that needed resolution in order to get an answer for
> foo.example, like NS records).

Ah.. I follow it now, and why you think it is a leak. :)

A resolver can respond to several queries without performing any
upstream queries. As an example, take RFC 6761. Nothing can be inferred
about a query simply because it didn't result in resolution.

> 
> So this is a privacy leak, which could be mitigated by treating the
> cache of RRs-accessed-in-the-clear as invalid for retrieval of the
> private query unless private authoritative DNS is confirmed to be
> unavailable.
> 
> There might be other effective mitigation besides a split cache,
> though.  for example, preferring private queries upstream in the first
> place for every query might offer some mitigation.
> 
> what do you think?
> 
>   --dkg

Mukund

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Issues with encoding keys in nameserver DNS names

[Daniel Kahn Gillmor]

On Fri 2018-12-14 03:30:29 +0530, Mukund Sivaraman wrote:
> I don't think this way. :) I think it will not support every RFC 1035
> DNS name, but only a subset of it. It should work for every valid name,
> because they are valid names and some application may want it. Why
> settle for hacks when it can be designed elegantly?

It depends on what elegance you're looking for.  There are ugly
real-world systems out there that can't support all kinds of new keys.

Furthermore, if you want a key digest to be bound to a specific name,
then either you incur an extra round trip (find out the name; then find
out the associated key digest) or you expect whoever ships the glue to
know how to ship additional glue cleverly.  not so elegant in terms of
actual delivery.

Stuffing a digest of a key in the name is useful in binding the key to
the server directly, without having to juggle multiple different RRsets.

So i agree -- it looks like a hack, and it does have some size limits.
but i don't think those limits are plausible for anything real-world to
hit, and compared to the other inelegancies, it seems pretty promising
to me.

>> you get the key by connecting to the server and receiving it as part of
>> the server handshake.
>
> Nod. (can't help thinking that's another roundtrip, but perhaps that
> can't be avoided.)

if we're talking about DNS-over-TLS, then the server's key is going to
come down the pipe in the TLS handshake anyway, so it's no significant
extra burden to expect it there.

  --dkg


signature.asc
Description: PGP signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Use of separate caches for plain and secure transports

[Daniel Kahn Gillmor]

Hi Mukund--

On Tue 2018-12-11 11:13:39 +0530, Mukund Sivaraman wrote:
> During last night's meeting, there was talk about use of a split-cache -
> one with answers learned from plain transports and another with answers
> learned via secure transports.

I think i was the one that mentioned that there *could* be a security or
privacy issue there.  fwiw, i really want the answer here to be "don't
worry about it, use a single cache", because that makes implementations
significantly easier.

In the long run, there might even be privacy or security tradeoffs here,
and we might decide that they're prices worth paying for the additional
implementation simplicity -- i don't know.

I just want to try to ensure that we've at least thought about some
potential downsides and mapped them out.

The degenerate scenario i'd painted on the call was:

 * consider a DPRIVE-capable DNS resolver; for whatever reason, only a
   single request has been made to it since it booted.

 * a new cleartext (non-private) request comes in for foo.example, and
   it does the lookups it needs to do, all in the clear. (private
   queries to authoritatives would have worked, but they weren't tried
   since the initial request was in the clear anyway).

 * a subsequent private request comes in to the resolver, and the
   resolver responds without doing any upstream lookup.

in this scenario, a passive observer of the resolver's traffic can infer
that the private query was likely also for foo.example (or at least, for
one of the names that needed resolution in order to get an answer for
foo.example, like NS records).

So this is a privacy leak, which could be mitigated by treating the
cache of RRs-accessed-in-the-clear as invalid for retrieval of the
private query unless private authoritative DNS is confirmed to be
unavailable.

There might be other effective mitigation besides a split cache,
though.  for example, preferring private queries upstream in the first
place for every query might offer some mitigation.

what do you think?

  --dkg


signature.asc
Description: PGP signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Issues with encoding keys in nameserver DNS names

[Daniel Kahn Gillmor]

On Tue 2018-12-11 11:08:06 +0530, Mukund Sivaraman wrote:
> 1. The RDATA of an NS record has to be a hostname, so it would limit the
> amount of data that can be encoded within the NSDNAME. As an example,
> base32 encoding is not possible.

why is base32 encoding not possible for a hostname?

just for fun, i've stood up a new server.  It's not a DoT server, but
its name follows the guidance at:
https://knot-resolver.readthedocs.io/en/latest/modules.html#experimental-dns-over-tls-auto-discovery

https://longname.cmrg.net/
https://dot-fvyrmqvxe2yeialcpsu7xlbs6xefgd5rsa6mjwycewdrpeq2jcaq.nameservers.cmrg.net/

i had no trouble getting a certificate issued for it, and no problem
pointing NS records to the same name either (it's not running an
authoritative DNS server there, so it isn't fully connected, but that
has nothing to do with the name.

So the length of the name, and its ability to contain a base32-encoded
SHA256 digest is not an issue.

> 2. It would have to work for nameservers that are within a domain with a
> very long name already.

what are the length limits that you're concerned about?  if we make a
system that works for all nameservers that are within zones that are up
to (for example) 100 octets, that would be a huge win.

Remember that we're also talking about the nameserver's name itself, not
the zones it can serve.  so even longer zones can still work, as long as
their nameservers aren't in-bailiwick.

> 3. Let's assume it takes about 10 years for resolver->auth privacy
> transport to trickle into widespread operational availability. It is
> expected that quantum computers capable of obsoleting traditional crypto
> will be available in as few as 15-20 years from now. It is unclear if
> the limited length of keys that can be encoded into a subset of a DNS
> name would be sufficient for post-quantum crypto algorithms.

15 years ago, quantum computers were also 15-20 years away :)

I share your concerns about key length and post-quantum resistance, and
i wouldn't want to design a system that can *only* work with short keys.

However, at least one of the weird-naming-proposals on the table (the
knot-resolver experimental work above) is just stuffing a fixed-length
sha256 digest there -- that digest can cover PQ key material too.  If
the concern is an attack on sha256 itself, then we should think about
other ways to plan.

> 4. NS records returned as part of delegations are unsigned, so for a
> resolver to trust key information in the RDATA of such NS records in a
> delegation, it would require the delegation to be returned using secure
> transport to the parent-side nameserver of the zone cut. During last
> night's conversation, there was some talk about fallback to plain
> transports - it will not be useful unless the entire delegation from
> root is followed with secure transports.

I agree with you that there is a security gap here, as with most steps
of indirection.

But i'd temper the "will not be useful" a little bit -- maybe "will not
defend against active attackers on first connection" is more accurate?

At any rate, the NS record could itself be DNSSEC-signed, and a
suitably-cautious client could ask the server for its own NS record and
associated RRSIG (QNAME-minimized, of course) before asking for anything
else.

Does this address your concerns about the feasibility of encoding
(hashes of) keys in nameserver DNS names?

--dkg


signature.asc
Description: PGP signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Issues with encoding keys in nameserver DNS names

[Mukund Sivaraman]

On Thu, Dec 13, 2018 at 04:21:39PM -0500, Daniel Kahn Gillmor wrote:
> Hi Mukund--
> 
> thanks for your prompt followup!
> 
> On Fri 2018-12-14 02:22:12 +0530, Mukund Sivaraman wrote:
> > The trailing '='s are part of the base32 encoding.
> >
> > [muks@naina ~]$ echo -n 
> > "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
> > abcdefghijklmnopqrstuvwxyz789012[muks@naina ~]$ echo -n 
> > "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
> > abcdefghijklmnopqrstuvwxyz7890base32: invalid input
> >
> > This will not validate as a hostname label.
> 
> ah! good call, thanks.  so a "trailing-=-stripped b32 encoding" would
> work OK, right?
> 
> I did the generation in python with:
> 
> 
> base64.b32encode(hashlib.sha256(rawdata).digest()).decode('us-ascii').strip('=').lower()
> 
> it's not hard to re-add the = padding before re-decoding, based on the
> length of the string, which will be a fixed length.

Nod that'd work. :)

> > Exhaust all the size of a DNS name except for a few characters and
> > imagine a nameserver belongs under that zone. A scheme has to work and
> > well for all extremes of DNS, not only a subset.
> 
> i think i disagree.  for one thing, we've talked about the ability to do
> opportunistic connections even in the absence of a signal.  so for
> nameservers located within extremely huge zones, they might just have to
> rely on opportunistic connections.  But in practice, even for a
> nameserver that *serves* a huge zone, its name doesn't need to be in the
> zone.
> 
> Let's look at this from another angle: what sorts of limits are we
> talking about here?
> 
>  https://tools.ietf.org/html/rfc1035#section-2.3.4
> 
> establishes the limits, in particular:
> 
> labels  63 octets or less
> names   255 octets or less
> 
> so we're saying that the terminal label will consume 57 octets (52 for
> the b32, 4 for "dot-", and 1 for the dot).  this means that the zones
> that can contain such a label are limited to 198 octets.
> 
> The longest name in the public suffix list (https://publicsuffix.org) is
> 41 octets (without the trailing dot):
> s3.dualstack.ap-northeast-1.amazonaws.com
> 
> so even any long-named zone within that longest public suffix still
> leaves 157 octets for the intervening sub-zones -- space remains for
> more than two full-length 63-octet labels.
> 
> So i'm not worried -- there will be other problems with long domain
> names long before we hit this one.

I don't think this way. :) I think it will not support every RFC 1035
DNS name, but only a subset of it. It should work for every valid name,
because they are valid names and some application may want it. Why
settle for hacks when it can be designed elegantly?

> > Nod, that may work too (how does one get the key then?)
> 
> you get the key by connecting to the server and receiving it as part of
> the server handshake.

Nod. (can't help thinking that's another roundtrip, but perhaps that
can't be avoided.)

> > If it can be demonstrated to work for near-future algorithms (next 2-3
> > decades), then it's fine.
> 
> i don't think anyone knows yet what the acceptable algorithms will be in
> 25 years.  We can guess of course, but as the saying goes: prediction is
> hard, especially about the future.

That's not what I meant to say.. I'll explain. The NIST competition is
happening now and there'll be a "winner" soon, and there are many
choices of algorithms being proposed now. The system should be designed
to accomodate such algorithms, so that it will not be obsolete in the
next 2 decades *based on what we expect/know now*. It should be able to
accomodate perhaps this NIST competition "winner" that we currently
expect will be secure 20 years from now.. not some algorithm chosen 2-3
decades from now.

> > It is over 13 years since RFC 4035 and DNSSEC is still not in widespread
> > use. Features take time to be adopted and so if the proposed protocol
> > will need revision to make it support another algorithm, then it'll take
> > as many years from that time to be available, so we should future proof
> > it a bit.
> 
> sure, but i don't want to future-proof it out of existence. :) sometimes
> too much complexity added too early on a what-if basis can kill a
> protocol as easily as an unforseen change that does eventually happen.

Nod, I agree.

Also I'm just pointing out various items that need to be considered,
that's all. If it works fine with all that, then it works fine. +1. :)

> 
> > Maybe.. I am just pointing out the issues. Perhaps there's some benefit
> > in signing them and the address glue anyway, to stop resolvers from
> > going off on wild chases due to some kinds of poisoning.
> 
> I appreciate your enumerating these concerns.  I hope my analysis is
> helpful in giving some sort of reassurance that they're not a problem
> for this sort of scheme.
> 
> --dkg



> ___
> dns-privacy mailing list
> 

Re: [dns-privacy] Issues with encoding keys in nameserver DNS names

[Mukund Sivaraman]

Hi Daniel

First, thank you for replying. I wondered if I'd said something
completely wrong. :)

On Thu, Dec 13, 2018 at 01:50:39PM -0500, Daniel Kahn Gillmor wrote:
> On Tue 2018-12-11 11:08:06 +0530, Mukund Sivaraman wrote:
> > 1. The RDATA of an NS record has to be a hostname, so it would limit the
> > amount of data that can be encoded within the NSDNAME. As an example,
> > base32 encoding is not possible.
> 
> why is base32 encoding not possible for a hostname?

The first and last octets of each label in a hostname must be an
alphabet or digit (first specified in RFC 952 and relaxed in RFC
1123). The other octets of the labels can be alphabet, digit or
hyphen(-).

As an example, for a 32-octet value that's sent through base32:

[muks@naina ~]$ echo -n "abcdefghijklmnopqrstuvwxyz789012" | base32
MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA

The trailing '='s are part of the base32 encoding.

[muks@naina ~]$ echo -n 
"MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
abcdefghijklmnopqrstuvwxyz789012[muks@naina ~]$ echo -n 
"MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
abcdefghijklmnopqrstuvwxyz7890base32: invalid input

This will not validate as a hostname label.

> > 2. It would have to work for nameservers that are within a domain with a
> > very long name already.
> 
> what are the length limits that you're concerned about?  if we make a
> system that works for all nameservers that are within zones that are up
> to (for example) 100 octets, that would be a huge win.

Exhaust all the size of a DNS name except for a few characters and
imagine a nameserver belongs under that zone. A scheme has to work and
well for all extremes of DNS, not only a subset.

> Remember that we're also talking about the nameserver's name itself, not
> the zones it can serve.  so even longer zones can still work, as long as
> their nameservers aren't in-bailiwick.
> 
> > 3. Let's assume it takes about 10 years for resolver->auth privacy
> > transport to trickle into widespread operational availability. It is
> > expected that quantum computers capable of obsoleting traditional crypto
> > will be available in as few as 15-20 years from now. It is unclear if
> > the limited length of keys that can be encoded into a subset of a DNS
> > name would be sufficient for post-quantum crypto algorithms.
> 
> 15 years ago, quantum computers were also 15-20 years away :)
> 
> I share your concerns about key length and post-quantum resistance, and
> i wouldn't want to design a system that can *only* work with short keys.
> 
> However, at least one of the weird-naming-proposals on the table (the
> knot-resolver experimental work above) is just stuffing a fixed-length
> sha256 digest there -- that digest can cover PQ key material too.  If
> the concern is an attack on sha256 itself, then we should think about
> other ways to plan.

Nod, that may work too (how does one get the key then?) If it can be
demonstrated to work for near-future algorithms (next 2-3 decades), then
it's fine.

It is over 13 years since RFC 4035 and DNSSEC is still not in widespread
use. Features take time to be adopted and so if the proposed protocol
will need revision to make it support another algorithm, then it'll take
as many years from that time to be available, so we should future proof
it a bit.

> > 4. NS records returned as part of delegations are unsigned, so for a
> > resolver to trust key information in the RDATA of such NS records in a
> > delegation, it would require the delegation to be returned using secure
> > transport to the parent-side nameserver of the zone cut. During last
> > night's conversation, there was some talk about fallback to plain
> > transports - it will not be useful unless the entire delegation from
> > root is followed with secure transports.
> 
> I agree with you that there is a security gap here, as with most steps
> of indirection.
> 
> But i'd temper the "will not be useful" a little bit -- maybe "will not
> defend against active attackers on first connection" is more accurate?
> 
> At any rate, the NS record could itself be DNSSEC-signed, and a
> suitably-cautious client could ask the server for its own NS record and
> associated RRSIG (QNAME-minimized, of course) before asking for anything
> else.

Maybe.. I am just pointing out the issues. Perhaps there's some benefit
in signing them and the address glue anyway, to stop resolvers from
going off on wild chases due to some kinds of poisoning.

Mukund

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Issues with encoding keys in nameserver DNS names

[Daniel Kahn Gillmor]

Hi Mukund--

thanks for your prompt followup!

On Fri 2018-12-14 02:22:12 +0530, Mukund Sivaraman wrote:
> The trailing '='s are part of the base32 encoding.
>
> [muks@naina ~]$ echo -n 
> "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
> abcdefghijklmnopqrstuvwxyz789012[muks@naina ~]$ echo -n 
> "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
> abcdefghijklmnopqrstuvwxyz7890base32: invalid input
>
> This will not validate as a hostname label.

ah! good call, thanks.  so a "trailing-=-stripped b32 encoding" would
work OK, right?

I did the generation in python with:


base64.b32encode(hashlib.sha256(rawdata).digest()).decode('us-ascii').strip('=').lower()

it's not hard to re-add the = padding before re-decoding, based on the
length of the string, which will be a fixed length.

> Exhaust all the size of a DNS name except for a few characters and
> imagine a nameserver belongs under that zone. A scheme has to work and
> well for all extremes of DNS, not only a subset.

i think i disagree.  for one thing, we've talked about the ability to do
opportunistic connections even in the absence of a signal.  so for
nameservers located within extremely huge zones, they might just have to
rely on opportunistic connections.  But in practice, even for a
nameserver that *serves* a huge zone, its name doesn't need to be in the
zone.

Let's look at this from another angle: what sorts of limits are we
talking about here?

 https://tools.ietf.org/html/rfc1035#section-2.3.4

establishes the limits, in particular:

labels  63 octets or less
names   255 octets or less

so we're saying that the terminal label will consume 57 octets (52 for
the b32, 4 for "dot-", and 1 for the dot).  this means that the zones
that can contain such a label are limited to 198 octets.

The longest name in the public suffix list (https://publicsuffix.org) is
41 octets (without the trailing dot):
s3.dualstack.ap-northeast-1.amazonaws.com

so even any long-named zone within that longest public suffix still
leaves 157 octets for the intervening sub-zones -- space remains for
more than two full-length 63-octet labels.

So i'm not worried -- there will be other problems with long domain
names long before we hit this one.

> Nod, that may work too (how does one get the key then?)

you get the key by connecting to the server and receiving it as part of
the server handshake.

> If it can be demonstrated to work for near-future algorithms (next 2-3
> decades), then it's fine.

i don't think anyone knows yet what the acceptable algorithms will be in
25 years.  We can guess of course, but as the saying goes: prediction is
hard, especially about the future.

> It is over 13 years since RFC 4035 and DNSSEC is still not in widespread
> use. Features take time to be adopted and so if the proposed protocol
> will need revision to make it support another algorithm, then it'll take
> as many years from that time to be available, so we should future proof
> it a bit.

sure, but i don't want to future-proof it out of existence. :) sometimes
too much complexity added too early on a what-if basis can kill a
protocol as easily as an unforseen change that does eventually happen.

> Maybe.. I am just pointing out the issues. Perhaps there's some benefit
> in signing them and the address glue anyway, to stop resolvers from
> going off on wild chases due to some kinds of poisoning.

I appreciate your enumerating these concerns.  I hope my analysis is
helpful in giving some sort of reassurance that they're not a problem
for this sort of scheme.

--dkg


signature.asc
Description: PGP signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] [Ext] Issues with encoding keys in nameserver DNS names

[Mukund Sivaraman]

Hi Paul

On Thu, Dec 13, 2018 at 09:11:52PM +, Paul Hoffman wrote:
> There are many ways to get a key and then compare the hash of the key with 
> the hash you get securely from the DNS.
> 
> > If it can be
> > demonstrated to work for near-future algorithms (next 2-3 decades), then
> > it's fine.
> 
> SHA-256 is not near-future: it has been deployed for well over a decade.

Did you really mean to say this, to tell me that SHA-256 is deployed? It
seems belittling rather than address what's being discussed.

The "near-future" remark (and the whole topic) was for post-quantum
crypto algorithms such as the ones in the NIST competition. Some of
these seem to have rather large key sizes, so the RDATA of an NS record
will not be sufficiently long to hold key material. Perhaps it can hold
a digest, and then there has to be some other way to fetch a key.

> > It is over 13 years since RFC 4035 and DNSSEC is still not in widespread
> > use. Features take time to be adopted and so if the proposed protocol
> > will need revision to make it support another algorithm, then it'll take
> > as many years from that time to be available, so we should future proof
> > it a bit.
> 
> 256-bit hashes do not need to be "future proof": they are
> well-established. 256-bit keys do not need to be "future proof"
> either.

The discussion is not about specific schemes like hashes or keys or
256-bits.

> >>> 4. NS records returned as part of delegations are unsigned, so for a
> >>> resolver to trust key information in the RDATA of such NS records in a
> >>> delegation, it would require the delegation to be returned using secure
> >>> transport to the parent-side nameserver of the zone cut. During last
> >>> night's conversation, there was some talk about fallback to plain
> >>> transports - it will not be useful unless the entire delegation from
> >>> root is followed with secure transports.
> >> 
> >> I agree with you that there is a security gap here, as with most steps
> >> of indirection.
> >> 
> >> But i'd temper the "will not be useful" a little bit -- maybe "will not
> >> defend against active attackers on first connection" is more accurate?
> >> 
> >> At any rate, the NS record could itself be DNSSEC-signed, and a
> >> suitably-cautious client could ask the server for its own NS record and
> >> associated RRSIG (QNAME-minimized, of course) before asking for anything
> >> else.
> > 
> > Maybe.. I am just pointing out the issues. Perhaps there's some benefit
> > in signing them and the address glue anyway, to stop resolvers from
> > going off on wild chases due to some kinds of poisoning.
> 
> NS records are signed; is is only the glue records that are not. The
> names being discussed here are in the NS records themselves.

NS records in a delegation are not signed. If you want authoritative
signed NS records, you have to find them at the apex of the child
zone. But how would you contact the child zone's nameservers and ask it
for the signed NS at the zone's apex if you don't know how to make a
secure path to it?

Mukund

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Issues with encoding keys in nameserver DNS names

[manu tman]

>
> On Fri 2018-12-14 02:22:12 +0530, Mukund Sivaraman wrote:
> > The trailing '='s are part of the base32 encoding.
> >
> > [muks@naina ~]$ echo -n
> "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
> > abcdefghijklmnopqrstuvwxyz789012[muks@naina ~]$ echo -n
> "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
> > abcdefghijklmnopqrstuvwxyz7890base32: invalid input
> >
> > This will not validate as a hostname label.
>
> ah! good call, thanks.  so a "trailing-=-stripped b32 encoding" would
> work OK, right?
>
> I did the generation in python with:
>
>
> base64.b32encode(hashlib.sha256(rawdata).digest()).decode('us-ascii').strip('=').lower()
>
> it's not hard to re-add the = padding before re-decoding, based on the
> length of the string, which will be a fixed length.
>
>
Yes, the padding MUST be removed from the name in order to form a
legitimate label.
Likewise, padding must be re-added when extracting the signature back.


>
> Let's look at this from another angle: what sorts of limits are we
> talking about here?
>
>  https://tools.ietf.org/html/rfc1035#section-2.3.4
>
> establishes the limits, in particular:
>
> labels  63 octets or less
> names   255 octets or less
>
> so we're saying that the terminal label will consume 57 octets (52 for
> the b32, 4 for "dot-", and 1 for the dot).  this means that the zones
> that can contain such a label are limited to 198 octets.
>
> The longest name in the public suffix list (https://publicsuffix.org) is
> 41 octets (without the trailing dot):
> s3.dualstack.ap-northeast-1.amazonaws.com
>
> so even any long-named zone within that longest public suffix still
> leaves 157 octets for the intervening sub-zones -- space remains for
> more than two full-length 63-octet labels.
>
> So i'm not worried -- there will be other problems with long domain
> names long before we hit this one.
>

Agreed, it does form a long name but it fit the bill of the max size for
the label and still leave some room for a decently likewise already super
long name.

It may not be a nice target name, but this is not really for humans to
remember or even ever look at realistically.

Manu
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy