At Fri, 23 Oct 2015 14:31:15 +0000, Paul Hoffman <[email protected]> wrote:
> >1) I believe it would be a mistake to publish this without synchronizing > >the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS. [...] > >2) On TLS verification, this document should reference RFC 6125 and > >describe how naming information should be compared with the locally > >known data with what is being presented by the server. [...] > >If merging DNS-over-TLS and DNS-over-DTLS is not an option, another > >possibility is that TLS-related aspects are deferred from both documents > >to another third new document that describe how to perform TLS > >credential verification for DNS-over-(D)TLS in a generalized way. Then > >there would be harmony in the TLS-related aspects, and the respective > >document can focus on the DNS-related aspects. If document editor > >cycles is limiting factor, I would volunteer to help write this. > > Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to > the IETF, it makes no sense at all to have them have different crypto > properties. I don't care if the answer is "harmonize each before > finishing" or "harmonize them by reference to a third document". I have some preliminary question about the 'If'. I don't remember exactly how the DNS/DTLS draft became a wg document, but IIRC when we adopted DNS/TLS from several candidates the decision was to focus on this particular solution while allowing flexibility of discussions other ideas at a lower priority, so we can at least publish one concrete solution document as soon as possible. I have no problem of discussing DNS/DTLS itself, but if my understanding about the wg focus is correct, I don't think it a good idea to delay publishing DNS/TLS because of it implication with DNS/DTLS. In that sense merging these two drafts doesn't seem to be a good idea to me. Extracting and deferring some parts of DNS/TLS may be acceptable if the resulting DNS/TLS draft is still a self-contained document to be published. -- JINMEI, Tatuya _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
