title: DPRIVE IETF 108

DNS Privacy Exchange (DPRIVE) WG



Very Responsible Area Director





Current Working Group Business

Daniel Gilmor: ALPN handshake is cleartext so appears as zone transfer over aDOT query. Risks of distinguisability? Sara: Would have to look at padding and timing to disguise it. Determine which nameservers host zones. DKG: Detect Zone Transfer in order to prevent it.

Peter van Dijk: limit ALPN to SOA and XFR, PowerDNS does NSQuery. Sara: did not want to force servers to answer over an encrypted connection if not supported.

Jim Reid: consider TLS session resumption work Sara: Little Premature

Jon Reid: Favor of ALPN

EKR: What happens right now when I ask for a zone xfr over tcp. Why ALPN Sara: What we didn't want the requirement that if auth was supporting xot, it had to be ready to answer query over that connection. EKR: They can refuse to answer those queries Sara: We think its clearer. Also, IP Based ACL/TSIG, Determine when to control zone transfer access EKR: Not what ALPN intended for. Sara: Weaknesses in both approaches

DKG: If you done xfr over this connection, this is how it is done.

Petr Spacek: if Draft says handle these queries, and the rest you send back refused. Sara: Not all operatoers agree to open TLS queries

Erik Nygren: use SNI for this? Sara: would we allow any queries for those SNI Sara: Not using ALPN is a tuning problem

New Working Group Business