title: DPRIVE IETF 108

DNS Privacy Exchange (DPRIVE) WG



Very Responsible Area Director




Current Working Group Business

Daniel Gilmor: ALPN handshake is cleartext so appears as zone transfer over aDOT query. Risks of distinguisability?
Sara: Would have to look at padding and timing to disguise it. Determine which nameservers host zones.
DKG: Detect Zone Transfer in order to prevent it.

Peter van Dijk: limit ALPN to SOA and XFR, PowerDNS does NSQuery.
Sara: did not want to force servers to answer over an encrypted connection if not supported.

Jim Reid: consider TLS session resumption work
Sara: Little Premature

Jon Reid: Favor of ALPN

EKR: What happens right now when I ask for a zone xfr over tcp. Why ALPN
Sara: What we didn't want the requirement that if auth was supporting xot, it had to be ready to answer query over that connection.
EKR: They can refuse to answer those queries
Sara: We think its clearer. Also, IP Based ACL/TSIG, Determine when to control zone transfer access
EKR: Not what ALPN intended for.
Sara: Weaknesses in both approaches

DKG: If you done xfr over this connection, this is how it is done.

Petr Spacek: if Draft says handle these queries, and the rest you send back refused.
Sara: Not all operatoers agree to open TLS queries

Erik Nygren: use SNI for this?
Sara: would we allow any queries for those SNI
Sara: Not using ALPN is a tuning problem

New Working Group Business