On 5/22/2017 7:53 PM, Colm MacCárthaigh wrote: > > > On Mon, May 22, 2017 at 7:23 PM, Benjamin Kaduk <bka...@akamai.com > <mailto:bka...@akamai.com>> wrote: > > > Sorry for being daft, but a direct link to this additional > side-channel would be helpful. > > > I should have done it the first time. Here it > is: https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01277.html >
Colm's point is that for many DNS servers, queries are not truly stateless. The answer to a query for AAAA records for example.net might vary over time, or even query to query, for example to manage load balancing. Adversaries can predict these variations. They can observe the state of the server before and after replaying 0-RTT data. If they observed that the 0-RTT data caused the answer to change, they can confirm that the 0-RTT data contained a request to that server. I take that as an example of the more generic statement, that it is really difficult to guarantee that transactions are really stateless. Some transactions are apparently stateless, because the operation in theory only reads data from the server. But even these transactions can change the state of the server in subtle ways, such as servers managing load balancing. Another example would be web servers rotating advertisements on the page, which also can be observed. If I get Colm's point correctly, he asserts that this is a fairly general pattern, and that only fools can assume that a given transaction is "stateless". I take that as a strong argument for requiring "at most once" functionality for 0-RTT data. -- Christian Huitema
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
