On 23-Oct-2015 07:31 am, Paul Hoffman <[email protected]> wrote: > > On 10/23/15, 1:35 PM, "Simon Josefsson" <[email protected]> wrote: > >> Hi. I believe the document is in relatively good shape. I have one >> high level concern, and one concern with the document itself that is >> related to the higher-level concern: >> >> 1) I believe it would be a mistake to publish this without synchronizing >> the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS. The >> documents solve roughly the same problem, with rougly the same >> technology. One important difference is how they approach >> authentication of the peer in TLS. Given the similarities of the >> protocols and solutions, this seems like a recipe for implementation >> frustration. An implementer would prefer to implement DNS-over-TLS/DTLS >> as similar as possible. Having different X.509 (etc) certificate >> verification code paths depending on whether TLS or DTLS is used appears >> bad to me. >> >> 2) On TLS verification, this document should reference RFC 6125 and >> describe how naming information should be compared with the locally >> known data with what is being presented by the server. See >> draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or >> the most readable or complete way) of doing this. >> >> If merging DNS-over-TLS and DNS-over-DTLS is not an option, another >> possibility is that TLS-related aspects are deferred from both documents >> to another third new document that describe how to perform TLS >> credential verification for DNS-over-(D)TLS in a generalized way. Then >> there would be harmony in the TLS-related aspects, and the respective >> document can focus on the DNS-related aspects. If document editor >> cycles is limiting factor, I would volunteer to help write this. > > Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to > the IETF, it makes no sense at all to have them have different crypto > properties. I don't care if the answer is "harmonize each before > finishing" or "harmonize them by reference to a third document".
+1. -d _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
