John, > On Oct 1, 2015, at 9:21 PM, John Levine <jo...@taugh.com> wrote: > > I think it's in pretty good shape but of course I have a few questions. > > In 3.3, it says to match queries and responses "using the ID field and > port number". I get the ID field, but the port number? In a TCP > session? This language appears to be copied from 5966bis, where it > seems to have been copied by mistake from something that was talking > about UDP. It's not in RFC 5966.
Already fixed, as you already know... > > In the opportunistic privacy profiles in 4.1, why wouldn't you want to > use opportunistic TLS when talking to an authoritative server the same > as you would talking to a cache? The example suggests it only applies > to caches. Because the working group is focused on stub-to-recursive that is what the document authors focused on as well. > > In the security considerations, item 3 appears to be left over from > the STARTTLS version. If the handshake happens at the beginning, how > could there be protocol interactions prior to the handshake? Here's the text: 3. Any protocol interactions prior to the TLS handshake are performed in the clear and can be modified by a person-in-the- middle attacker. For this reason, clients MAY discard cached information about server capabilities advertised prior to the start of the TLS handshake. The authors debated about leaving this in or taking it out. The argument for leaving it is that a client might not use TLS immediately, for whatever reason. If it performs normal queries before using TLS then the client might want to discard anything it learned about servers. That might include RTT estimates, EDNS support, etc. If there is consensus that its better to remove that paragraph, we would be happy to do so. DW _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy