Re: [DNSOP] I-D Action: draft-ietf-dnsop-server-cookies-01.txt

2019-11-07 Thread Willem Toorop 
Op 06-11-2019 om 17:27 schreef Philip Homburg:
>> Philip Homburg pointed out that, although impractical to determine the
>> Client IP before Client Cookie construction, it is feasible for a Client
>> to detect it when it learns a Server Cookie from a specific Server.  It
>> can subsequently be tried to be reused for the same Server which will
>> fail if the Client IP has changed.
>>
>> This new (and practically implementable) requirement does not only
>> enhance privacy and make DNS Cookies work with the IPv6 Privacy
>> Extensions (by preventing tracking), it also makes them work in other
>> environments where Client source IP can change frequently, such as in
>> setups with multiple outgoing gateways.
> 
> Note that my preference was a pseudo-random client cookie. 
> 
> I can see two issues with the current approach:
> 1) I'm not sure this actually fixes the IPv6 privacy extensions problem.
>The same client cookie can be used on different addresses if the 
>server doesn't support cookies and the client at some point forgets
>that the server doesn't support cookies (and sends the server the
>same client cookie after a new privacy address is generated).
> 
> 2) As an extension of the previous, if no server supports cookies, then the
>client will not change the Client Secret and continues to use the same
>client cookie after it moves to new location.

Ack!

I see e need to adapt Client Construction section again. Also, these
considerations should be well expressed in a privacy and security
section as well.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-zone-digest-02.txt

2019-11-07 Thread Vladimír Čunát 
Hello!

On 10/28/19 10:32 PM, Wessels, Duane wrote:
> The one defined hash algorithm SHA384 has been renamed to SHA384-STABLE to 
> reflect that it designed for use on stable (or small) zones where it is not 
> burdensome to recalculate the digest over the entire zone data each time.

Tiny nitpick: calling it "SHA384-STABLE" might be a tiny bit confusing
(to me), as I've seen that word refer to some particular hashing
approaches/properties.  Actually some of the algorithms that efficiently
recompute after small changes in large zones... I'd even tend to call
those digests (more) "stable"/"steady" intuitively, but that might be
personal :-)  I certainly don't have a strong opinion on the naming and
don't want to bike-shed, but I could imagine calling it "simple" or
"flat" or something along those lines.

[example] https://en.wikipedia.org/wiki/Stable_hashing

--Vladimir

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop