That's fine. Thanks.
On Sat, 10 Oct 2015, Wessels, Duane wrote:
On Oct 9, 2015, at 4:33 PM, John R Levine <[email protected]> wrote:
If the TLS stuff is on a separate port that only does TLS, what could possibly
happen before the TLS handshake?
I'm suggesting that a query/response on port 53 might happen prior to TLS.
Oh, OK. It'd help if the text mentioned that.
John, how does this look to you?
- Any protocol interactions prior to the TLS handshake are
- performed in the clear and can be modified by a
person-in-the-middle
- attacker. For this reason, clients MAY discard cached
+ Any DNS protocol interactions prior to the TLS handshake that are
+ performed in the clear can be modified by a person-in-the-middle
+ attacker. For example, unencrypted queries and responses
+ might take place over port 53 between a client and server
+ prior to TLS. For this reason, clients MAY discard cached
information about server capabilities advertised prior to
the start of the TLS handshake.
DW
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
