We have updated the DNS-over-TLS draft to provide a complete response to two aspects of the WGLC:
1. the WG consensus call from the discussion that took place in Yokohama (2 weeks into the 4 week WGLC) 2. the discussion on the mailing list - this mostly took the form of questions about that consensus. Warren summed up the WG consensus call (on the mailing list on 11/13): On 11/13/15, 12:55 PM, "dns-privacy on behalf of Warren Kumari" <[email protected] on behalf of [email protected]> wrote: >The plan that we'd discussed was that this document would describe how >to do the DNSoTLS bit, and the new document would extend the auth >profiles. > >This document would mention opportunistic and the case where there is >an existing trust relationship. > >The refernce to the new document would not have to be normative, and >so we could go ahead and publish this - we've heard (anecdotally) that >a number of people would like to test this, but would like to see the >RFC label before spending cycles... We addressed both 1 and 2 by providing more details about the the case where there is an existing trust relationship. We point to the soon to be submitted document for TLS and DTLS that will provide additional authentication methods and profiles with a TBD informative reference to be filled in with the draft name once it appears (Section 1). We expanded on the existing trust relationship case by specifying out-of-band pinned-key authentication analogous to the authentication described in RFC 7469 (and noting that additional authentication methods are to come in the TLS/DTLS authentication draft). These changes primarily occur in Section 4.2, but also in in the profiles intro (Section 4). Also, we added a non-normative appendix with an example of pinned-key authentication. Please check the diff (Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-dns-over-tls-02) to get a clear picture of these changes. We request that folks read the changed sections asap. We request to the chairs that they start a new two week WGLC for review of this response to the first WGLC. Thanks, Allison On 12/7/15, 10:28 AM, "[email protected]" <[email protected]> wrote: > >A new version of I-D, draft-ietf-dprive-dns-over-tls-02.txt >has been successfully submitted by Duane Wessels and posted to the >IETF repository. > >Name: draft-ietf-dprive-dns-over-tls >Revision: 02 >Title: DNS over TLS: Initiation and Performance Considerations >Document date: 2015-12-07 >Group: dprive >Pages: 19 >URL: >https://www.ietf.org/internet-drafts/draft-ietf-dprive-dns-over-tls-02.txt >Status: >https://datatracker.ietf.org/doc/draft-ietf-dprive-dns-over-tls/ >Htmlized: >https://tools.ietf.org/html/draft-ietf-dprive-dns-over-tls-02 >Diff: >https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-dns-over-tls-02 > >Abstract: > This document describes the use of TLS to provide privacy for DNS. > Encryption provided by TLS eliminates opportunities for eavesdropping > and on-path tampering with DNS queries in the network, such as > discussed in RFC 7258. In addition, this document specifies two > usage profiles for DNS-over-TLS and provides advice on performance > considerations to minimize overhead from using TCP and TLS with DNS. > > Note: this document was formerly named > draft-ietf-dprive-start-tls-for-dns. Its name has been changed to > better describe the mechanism now used. Please refer to working > group archives under the former name for history and previous > discussion. [RFC Editor: please remove this paragraph prior to > publication] > > > > > >Please note that it may take a couple of minutes from the time of >submission >until the htmlized version and diff are available at tools.ietf.org. > >The IETF Secretariat > _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
