Warren Kumari <[email protected]> writes: > Dear DPRIVE WG, > > The authors of draft-ietf-dprive-dns-over-tls-01 have indicated that > they believe that the document is ready, and have asked for Working > Group Last Call.
Hi. I believe the document is in relatively good shape. I have one high level concern, and one concern with the document itself that is related to the higher-level concern: 1) I believe it would be a mistake to publish this without synchronizing the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS. The documents solve roughly the same problem, with rougly the same technology. One important difference is how they approach authentication of the peer in TLS. Given the similarities of the protocols and solutions, this seems like a recipe for implementation frustration. An implementer would prefer to implement DNS-over-TLS/DTLS as similar as possible. Having different X.509 (etc) certificate verification code paths depending on whether TLS or DTLS is used appears bad to me. 2) On TLS verification, this document should reference RFC 6125 and describe how naming information should be compared with the locally known data with what is being presented by the server. See draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or the most readable or complete way) of doing this. If merging DNS-over-TLS and DNS-over-DTLS is not an option, another possibility is that TLS-related aspects are deferred from both documents to another third new document that describe how to perform TLS credential verification for DNS-over-(D)TLS in a generalized way. Then there would be harmony in the TLS-related aspects, and the respective document can focus on the DNS-related aspects. If document editor cycles is limiting factor, I would volunteer to help write this. /Simon
signature.asc
Description: PGP signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
