> > I believe the abstract or introduction section should mention that > > TLS gives you data integrity services, which protects against > > on-path tampering. Right now the document talks about encryption > > to protect against eavesdropping. However, the RFC 7258 pervasive > > monitoring attack includes active attacks and thus I believe > > talking about integrity is useful to set the context right. > > I've added a short sentence to the abstract: > > @@ -169,7 +169,9 @@ > This document describes the use of TLS to provide privacy > for DNS. Encryption provided by TLS eliminates opportunities > for eavesdropping on DNS queries in the network, such as > - discussed in RFC 7258. In addition, this document specifies > + discussed in RFC 7258. > + TLS also protects against on-path tampering. > + In addition, this document specifies > two usage profiles for DNS-over-TLS and provides advice on > performance considerations to minimize overhead from using > TCP and TLS with DNS.
Hi Duane. Thank you. 7258 also talks about active attacks. So maybe it reads better to say: Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7258. > > One comment/thought around the /etc/service name 'domain-s'. I > > find it undescriptive and difficult to type. How about > > 'dnsovertls' or something more descriptive? > > This has already been discussed and the IANA Ports Review team has > provided guidance that the -s suffix is preferred: > > https://mailarchive.ietf.org/arch/msg/dns-privacy/dO99_jjoBUrHS2hCNDKTNRlBLFo Thanks for the pointer. I guess my comment here is too late. /Simon
pgpX4sA5eZhGs.pgp
Description: OpenPGP digital signatur
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
