> On Oct 9, 2015, at 4:33 PM, John R Levine <[email protected]> wrote:
>
>>> If the TLS stuff is on a separate port that only does TLS, what could
>>> possibly happen before the TLS handshake?
>>
>> I'm suggesting that a query/response on port 53 might happen prior to TLS.
>
> Oh, OK. It'd help if the text mentioned that.
>
John, how does this look to you?
- Any protocol interactions prior to the TLS handshake are
- performed in the clear and can be modified by a
person-in-the-middle
- attacker. For this reason, clients MAY discard cached
+ Any DNS protocol interactions prior to the TLS handshake that are
+ performed in the clear can be modified by a person-in-the-middle
+ attacker. For example, unencrypted queries and responses
+ might take place over port 53 between a client and server
+ prior to TLS. For this reason, clients MAY discard cached
information about server capabilities advertised prior to
the start of the TLS handshake.
DW
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
