On Tue, May 23, 2017 at 11:27 AM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> Actually, nonces in DNScurve protect clients from replayed server > responses (clients > are stateful). I see no explicit guidance to detect or refuse replays of > client > queries in DNScurve. While servers could keep a nonce cache, in practice > there > are multiple servers and they don't share state (no "strike registers"). > My apologies, you're right! I'll make sure to tease djb now. That's still an insecure design (or at least a privacy defeating design) for the same reasons as earlier. Though tinydns doesn't do RRL or Cyclic answers, so in that coupled implementation it may be ok. At one time we didn't think the kinds of side-channels present in TLS were a big deal; the "it is not believed to be large enough to be exploitable" note in section 6.2.3.2 of RFC5246 comes to mind. Here we risk repeating history. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
