On Thu, 13 Nov 2014 08:03:02 +0100, Francis Dupont wrote:
>Does DNS over TLS use the TLS framing (aka TLS Record Protocol) or
>does it prefix messages by a two byte length field as for DNS over TCP
>(cf RFC 1035 4.2.2 TCP usage)? I believe it is the second but *no*
>DNS over TLS proposal specify this point.
Good question.
draft-hzhwm-dprive-start-tls-for-dns-00
frames as per DNS over TCP, not TLS.
It says:
After TLS negotiation completes, the connection will be encrypted and
is now protected from eavesdropping and normal DNS queries SHOULD
take place.
I guess "normal DNS queries" should be "normal DNS queries (with
DNS-over-TCP framing as per RFC1035 section 4.2.2)" to be clearer.
This choice is consistent with the goal of minimal changes to existing
DNS software. Once you negotiate TLS, you basically end up just calling
the TLS-specific read/write functions rather than standard read/write.
This approach is also consistent with other STARTTLS uses---they preserve
to "native" framing (like SMTP, RFC3207).
-John Heidemann
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
