Hello Ilari,
> On Sep 30, 2015, at 12:23 PM, Ilari Liusvaara <ilari.liusva...@elisanet.fi> > wrote: > > > DNS-over-TLS (-00): > > 1) Section 3.2: > > Is the section about authentication just examples or is it missing > stuff like pinning RPK of the server? I don't feel that section 3.2 is missing anything. Pinning is mentioned later in the Security Considerations section. > > Also, DNS servers are usually designated by IP, but certificates > work by domain name... The subject of a certificate can be a domain name or an IP address, and there are other ways of establishing trust of a server certificate. > > 2) Section 3.3: > > I presume each request or reply SHOULD also be inside just one > TLS record (but multiple queries/responses can be combined into > a single one)? I think you're saying that a DNS message shouldn't be split between multiple TLS records. Is that because of performance or security reasons? And do applications generally have that level of control over TLS? DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy