John,
> On Oct 1, 2015, at 9:21 PM, John Levine <jo...@taugh.com> wrote:
>
> I think it's in pretty good shape but of course I have a few questions.
>
> In 3.3, it says to match queries and responses "using the ID field and
> port number". I get the ID field, but the port number? In a TCP
> session? This language appears to be copied from 5966bis, where it
> seems to have been copied by mistake from something that was talking
> about UDP. It's not in RFC 5966.
Already fixed, as you already know...
>
> In the opportunistic privacy profiles in 4.1, why wouldn't you want to
> use opportunistic TLS when talking to an authoritative server the same
> as you would talking to a cache? The example suggests it only applies
> to caches.
Because the working group is focused on stub-to-recursive that is what
the document authors focused on as well.
>
> In the security considerations, item 3 appears to be left over from
> the STARTTLS version. If the handshake happens at the beginning, how
> could there be protocol interactions prior to the handshake?
Here's the text:
3. Any protocol interactions prior to the TLS handshake are
performed in the clear and can be modified by a person-in-the-
middle attacker. For this reason, clients MAY discard cached
information about server capabilities advertised prior to the
start of the TLS handshake.
The authors debated about leaving this in or taking it out.
The argument for leaving it is that a client might not use TLS
immediately, for whatever reason. If it performs normal queries
before using TLS then the client might want to discard anything it
learned about servers. That might include RTT estimates, EDNS support, etc.
If there is consensus that its better to remove that paragraph, we would
be happy to do so.
DW
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
