On Tue, Jul 14, 2015 at 04:58:03AM +0000, Wessels, Duane wrote: > > We believe that this update addresses the working group's concerns > and hope that the document can progress to last call soon.
I didn't see any discussion about requirements on TLS if any. Given that this is a new service, running on a "fresh" port (so no problems like HTTP/2 faced), one can set the bar relatively high. One problem with TLS is that there is no way to perform TLS record padding without resorting to obsolete stuff with known security issues (enough to trigger user-visible warnings in Chrome) and not supported in TLS 1.3 (or yet to be defined extensions). So if query/response padding is to be done (and I think it does), it needs to be somehow done on DNS level. Also, regarding pre-deployed profile, what names are the certificate validated against (assuming it is not RPK [RFC7250])? The name is stored in the same config as the resolver IP and the pinned key? -Ilari _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
