On Mon, Jan 4, 2016 at 4:34 AM, sara <[email protected]> wrote: > Hi All, > > As discussed by the working group (in Yokohama and on the list) a new > draft has been produced > > https://tools.ietf.org/html/draft-dgr-dprive-dtls-and-tls-profiles-00 > > that describes usage profiles, authentication mechanisms and a (D)TLS > profile that can be used for both DNS-over-TLS and DNS-over-DTLS: > > - It discusses in detail the use of Strict and Opportunistic usage > profiles for DNS-over-(D)TLS. > > - It describes domain name based authentication mechanisms using both > X.509 certificates and DANE as ways that a DNS server can prove its > identity for authentication purposes. > > - It presents a (D)TLS profile which defines the configuration options and > protocol extensions required to optimise connection establishment and > session resumption. > > - It additionally has guidance on counter measures to DNS traffic analysis > and server capability probing by clients. > > We request review of this document and consideration for adoption by the > working group. > > Regards > > Sara. > > Apparently I don't understand certificates...
In section 7, an example SRV record is: _domain-s._tcp.dns.example.com. SRV 0 1 853 dns1.example.com. But is section 9 I see: _domain-s.dns.example.com Are those related? I really don't understand why section 9 even suggests adding _domain-s.dns.example.com I also don't understand why the Subject field is not valid to use. I thought subjectAltName was optional, and only used if there were more than one domain name in the cert. -- Bob Harold
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
