Skip to content

Commit 26513ea

Browse files
committed
Clarification backed on implementation feedback
1 parent 20967f0 commit 26513ea

1 file changed

Lines changed: 5 additions & 3 deletions

File tree

draft-denis-dprive-dnscrypt.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,7 @@ Definitions for client queries:
126126
- `<client-sk>`: the client's secret key.
127127
- `<resolver-pk>`: the resolver's public key.
128128
- `<client-nonce>`: a unique query identifier for a given (`<client-sk>`, `<resolver-pk>`) tuple. Every newly encrypted DNSCrypt query for the same (`<client-sk>`, `<resolver-pk>`) tuple MUST use a distinct `<client-nonce>` value, even when the plaintext DNS query is being retried. Retransmitting the same already-encrypted DNSCrypt packet does not require changing its nonce. The length of `<client-nonce>` is determined by the chosen encryption algorithm.
129-
- `AE`: the authenticated encryption function.
129+
- `AE`: the authenticated encryption function. For the encryption systems defined in this document, it is the `XChaCha20_DJB-Poly1305` construction of Appendix 1, whose output is the 16-byte authentication tag followed by the ciphertext.
130130
- `<encrypted-query>`: `AE(<shared-key> <client-nonce> <client-nonce-pad>, <client-query> <client-query-pad>)`
131131
- `<shared-key>`: the shared key derived from `<resolver-pk>` and `<client-sk>`, using the key exchange algorithm defined in the chosen certificate.
132132
- `<client-query>`: the unencrypted client query. The query is not modified; in particular, the query flags are not altered.
@@ -142,7 +142,7 @@ Definitions for server responses:
142142
- `<client-pk>`: the client's public key.
143143
- `<resolver-sk>`: the resolver's secret key.
144144
- `<resolver-nonce>`: a unique response identifier for a given `(<client-pk>, <resolver-sk>)` tuple. The length of `<resolver-nonce>` depends on the chosen encryption algorithm.
145-
- `AE`: the authenticated encryption function.
145+
- `AE`: the authenticated encryption function. For the encryption systems defined in this document, it is the `XChaCha20_DJB-Poly1305` construction of Appendix 1, whose output is the 16-byte authentication tag followed by the ciphertext.
146146
- `<encrypted-response>`: `AE(<shared-key>, <nonce>, <resolver-response> <resolver-response-pad>)`
147147
- `<shared-key>`: the shared key derived from `<resolver-sk>` and `<client-pk>`, using the key exchange algorithm defined in the chosen certificate.
148148
- `<resolver-response>`: the unencrypted resolver response. The response is not modified; in particular, the query flags are not altered.
@@ -379,7 +379,7 @@ A successful response to a certificate request contains one or more `TXT` record
379379

380380
- `<cert>`: `<cert-magic> <es-version> <protocol-minor-version> <signature> <resolver-pk> <client-magic> <serial> <ts-start> <ts-end> <extensions>`
381381
- `<cert-magic>`: `0x44 0x4e 0x53 0x43`
382-
- `<es-version>`: the cryptographic construction to use with this certificate. For Box-XChaChaPoly, `<es-version>` MUST be `0x00 0x02`.
382+
- `<es-version>`: the cryptographic construction to use with this certificate. For the `Box-XChaChaPoly` construction of Appendix 1, that is, the X25519 key exchange with the `XChaCha20_DJB-Poly1305` authenticated encryption algorithm, `<es-version>` MUST be `0x00 0x02`.
383383
- `<protocol-minor-version>`: `0x00 0x00`
384384
- `<signature>`: a 64-byte signature of `(<resolver-pk> <client-magic> <serial> <ts-start> <ts-end> <extensions>)` using the Ed25519 algorithm and the provider secret key. Ed25519 MUST be used in this version of the protocol.
385385
- `<resolver-pk>`: the resolver short-term public key, which is 32 bytes when using X25519.
@@ -391,6 +391,8 @@ A successful response to a certificate request contains one or more `TXT` record
391391

392392
Certificates made of this information, without extensions, are 116 bytes long. With the addition of `<cert-magic>`, `<es-version>`, and `<protocol-minor-version>`, the record is 124 bytes long.
393393

394+
Within a `TXT` record, the certificate is carried in the record's RDATA, which is a sequence of length-prefixed character-strings {{!RFC1035}}. A client reconstructs the certificate by concatenating these character-strings in order, after removing the single length octet that precedes each one. A 124-byte classical certificate fits in a single character-string, whereas a larger certificate spans several character-strings that MUST be concatenated in this way before the certificate is parsed.
395+
394396
After receiving a set of certificates, the client checks their validity based on the current date, filters out the ones designed for encryption systems that are not supported by the client, and chooses the certificate with the higher serial number.
395397

396398
DNSCrypt queries sent by the client MUST use the `<client-magic>` header of the chosen certificate, as well as the specified encryption system and public key.

0 commit comments

Comments
 (0)