On 5/22/2017 10:24 AM, Colm MacCárthaigh wrote: > > > On Mon, May 22, 2017 at 10:12 AM, Kyle Nekritz <knekr...@fb.com > <mailto:knekr...@fb.com>> wrote: > ... > > Which mechanisms to use, and whether to enable 0-RTT in the first > place (or PSK mode at all), should be decided considering the > tradeoff between security/performance/implementation constraints, > etc. In the case of DNS, most DNS security protocols (dnssec, > etc.) do allow this kind of replay so I think it is a pretty > reasonable tradeoff to consider. > > > > This same argument could be made for keeping MD5, or RC4. DNSSEC is > not concerned with secrecy. TLS is. This exact kind of replay would > compromise the secrecy of the data being transported. > Check DKG's analysis of 0-RTT for DNS over TLS: https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01276.html. There is only one point of concern, a minor privacy leak if the DNS queries in the 0-RTT data can be replayed at intervals chosen by the attacker. The idea is to replay the data to a resolver, and then observe the queries going out to authoritative servers in clear text. The correlation can be used to find out what domain the client was attempting to resolve. The attack requires "chosen time" by the attacker, and thus will probably be mitigated by a caching system that prevents replays after a short interval.
-- Christian Huitema
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
