Skip to content

Commit 2da44fe

Browse files
committed
Clarifications based on feedback from an actual implementation
1 parent 26513ea commit 2da44fe

1 file changed

Lines changed: 6 additions & 4 deletions

File tree

draft-denis-dprive-dnscrypt.md

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -126,11 +126,11 @@ Definitions for client queries:
126126
- `<client-sk>`: the client's secret key.
127127
- `<resolver-pk>`: the resolver's public key.
128128
- `<client-nonce>`: a unique query identifier for a given (`<client-sk>`, `<resolver-pk>`) tuple. Every newly encrypted DNSCrypt query for the same (`<client-sk>`, `<resolver-pk>`) tuple MUST use a distinct `<client-nonce>` value, even when the plaintext DNS query is being retried. Retransmitting the same already-encrypted DNSCrypt packet does not require changing its nonce. The length of `<client-nonce>` is determined by the chosen encryption algorithm.
129-
- `AE`: the authenticated encryption function. For the encryption systems defined in this document, it is the `XChaCha20_DJB-Poly1305` construction of Appendix 1, whose output is the 16-byte authentication tag followed by the ciphertext.
129+
- `AE`: the authenticated encryption function. For the encryption systems defined in this document, it is the `XChaCha20_DJB-Poly1305` construction of Appendix 1, whose output is the 16-byte authentication tag followed by the ciphertext. This is the NaCl `secretbox` layout, in which the one-time Poly1305 key is taken from the start of the keystream; it is not the AEAD of {{!RFC8439}}, and the two are not interchangeable. See Appendix 1 for details.
130130
- `<encrypted-query>`: `AE(<shared-key> <client-nonce> <client-nonce-pad>, <client-query> <client-query-pad>)`
131131
- `<shared-key>`: the shared key derived from `<resolver-pk>` and `<client-sk>`, using the key exchange algorithm defined in the chosen certificate.
132132
- `<client-query>`: the unencrypted client query. The query is not modified; in particular, the query flags are not altered.
133-
- `<client-nonce-pad>`: `<client-nonce>` length is half the nonce length required by the encryption algorithm. In client queries, the other half, `<client-nonce-pad>` is filled with NUL bytes.
133+
- `<client-nonce-pad>`: `<client-nonce>` length is half the nonce length required by the encryption algorithm. In client queries, the other half, `<client-nonce-pad>` is filled with NUL bytes. For `<es-version>` `0x00 0x02`, the encryption algorithm uses a 24-byte nonce, so `<client-nonce>` is 12 bytes and `<client-nonce-pad>` is the remaining 12 NUL bytes.
134134
- `<client-query-pad>`: the variable-length padding.
135135

136136
Definitions for server responses:
@@ -142,7 +142,7 @@ Definitions for server responses:
142142
- `<client-pk>`: the client's public key.
143143
- `<resolver-sk>`: the resolver's secret key.
144144
- `<resolver-nonce>`: a unique response identifier for a given `(<client-pk>, <resolver-sk>)` tuple. The length of `<resolver-nonce>` depends on the chosen encryption algorithm.
145-
- `AE`: the authenticated encryption function. For the encryption systems defined in this document, it is the `XChaCha20_DJB-Poly1305` construction of Appendix 1, whose output is the 16-byte authentication tag followed by the ciphertext.
145+
- `AE`: the authenticated encryption function. For the encryption systems defined in this document, it is the `XChaCha20_DJB-Poly1305` construction of Appendix 1, whose output is the 16-byte authentication tag followed by the ciphertext. This is the NaCl `secretbox` layout, in which the one-time Poly1305 key is taken from the start of the keystream; it is not the AEAD of {{!RFC8439}}, and the two are not interchangeable. See Appendix 1 for details.
146146
- `<encrypted-response>`: `AE(<shared-key>, <nonce>, <resolver-response> <resolver-response-pad>)`
147147
- `<shared-key>`: the shared key derived from `<resolver-sk>` and `<client-pk>`, using the key exchange algorithm defined in the chosen certificate.
148148
- `<resolver-response>`: the unencrypted resolver response. The response is not modified; in particular, the query flags are not altered.
@@ -352,10 +352,12 @@ The name in the question (`<provider name>`) MUST follow this scheme:
352352

353353
A major protocol version has only one certificate format.
354354

355-
A DNSCrypt client implementing the second version of the protocol MUST send a query with the `TXT` type and a name of the form:
355+
A DNSCrypt client implementing the second version of the protocol MUST send a query with the `TXT` type and `IN` class, and a name of the form:
356356

357357
`2.dnscrypt-cert.example.com`
358358

359+
The RD (Recursion Desired) bit MAY be set; a resolver serving a certificate for its own provider name ignores it.
360+
359361
The zone MUST be a valid DNS name, but MAY not be registered in the DNS hierarchy.
360362

361363
A single provider name can be shared by multiple resolvers operated by the same entity, and a resolver can respond to multiple provider

0 commit comments

Comments
 (0)