Simon,
> On Sep 21, 2015, at 2:58 AM, Simon Josefsson <[email protected]> wrote: > > "Wessels, Duane" <[email protected]> writes: > >> The former draft described two approaches to establishing a >> DNS-over-TLS session: upgrade-based (aka STARTTLS for DNS) and >> port-based. In this new version we have removed the upgrade-based >> approach and describe only the use of a well-known port. > > Yay, thank you! > > I believe the abstract or introduction section should mention that TLS > gives you data integrity services, which protects against on-path > tampering. Right now the document talks about encryption to protect > against eavesdropping. However, the RFC 7258 pervasive monitoring > attack includes active attacks and thus I believe talking about > integrity is useful to set the context right. I've added a short sentence to the abstract: @@ -169,7 +169,9 @@ This document describes the use of TLS to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping on DNS queries in the network, such as - discussed in RFC 7258. In addition, this document specifies + discussed in RFC 7258. + TLS also protects against on-path tampering. + In addition, this document specifies two usage profiles for DNS-over-TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. > One comment/thought around the /etc/service name 'domain-s'. I find it > undescriptive and difficult to type. How about 'dnsovertls' or > something more descriptive? This has already been discussed and the IANA Ports Review team has provided guidance that the -s suffix is preferred: https://mailarchive.ietf.org/arch/msg/dns-privacy/dO99_jjoBUrHS2hCNDKTNRlBLFo DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
