Advertise an odohkey-id in addition to the odohkey for oblivious DoH Discovery

tfpauly / draft-pauly-adaptive-dns-privacy

Adaptive DNS Privacy

Other

8 stars 9 forks source link

Advertise an odohkey-id in addition to the odohkey for oblivious DoH Discovery #101

Closed sudheesh001 closed 4 years ago

sudheesh001 commented 4 years ago

The current discovery of the designated DoH servers mentions the retrieval of the public key from the DoH server as the odohkey in the HTTPSSVC DNS record. The client retrieves a DNSSEC signed record and validates it. Additionally, it'd make sense to also have a hash of the odohkey available as the odohkey-id in the records so that the client can perform a check for odohkey.KeyID() == odohkey-id in addition to ensuring that these are DNSSEC signed records?

chris-wood commented 4 years ago

I don't think this is necessary. If the KeyId is wrong, the target will fail to decrypt the query, and inform the client as such (with a generic error). Plus, with DNSSEC and a reliable transport like DoH used for fetching the key, malformed records are unlikely to arise.