Merge branch 'master' of github.com:jedisct1/dnscrypt-protocol

* 'master' of github.com:jedisct1/dnscrypt-protocol: update Allow forwarding of certificate responses
DNSCrypt · Dec 6, 2019 · 738ee43 · 738ee43
2 parents 955be26 + 043bc19
commit 738ee43
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/ANONYMIZED-DNSCRYPT.txt b/ANONYMIZED-DNSCRYPT.txt
@@ -92,11 +92,17 @@ protocol. In particular, it shouldn't start with 0x00000001. If this
 is the case, the relay must immediately respond with an empty packet.
 - otherwise, forward <dnscrypt-query> unmodified to the server.
 
-Once a response from the server has been received, the relay should:
-
-- validate that the response starts with <resolver-magic> (0x72 0x36
-0x66 0x6e 0x76 0x57 0x6a 0x38) followed by <client-nonce>
-- forward the entire response unmodified to the client
+Once a response from the server has been received, the relay:
+
+- must verify that the response is smaller than the query.
+- may validate that the response:
+  - either starts with <resolver-magic>
+    (0x72 0x36 0x66 0x6e 0x76 0x57 0x6a 0x38) followed by <client-nonce>
+  - or starts with a DNSCrypt certificate response
+    (* * * * 0x00 0x01 0x00 0x01 0x00 0x00 0x00 0x00 0x01 0x32 0x0d 0x64
+     0x6e 0x73 0x63 0x72 0x79 0x70 0x74 0x2d 0x63 0x65 0x72 0x74)
+- must forward the entire response unmodified to the client if the
+  previous steps succeed.
 
 4. Operational considerations
 -----------------------------