On Thursday, January 21, 2016 9:12 PM, Dan Wing wrote > > On 12-Jan-2016 01:56 pm, Tim Wicinski <[email protected]> wrote: > > ... > > This starts a Call for Adoption for > draft-dgr-dprive-dtls-and-tls-profiles > > > > The draft is available here: > https://datatracker.ietf.org/doc/draft-dgr-dprive-dtls-and-tls-profiles/ > > > > Please review this draft to see if you think it is suitable for adoption > by DPRIVE, and comments to the list, clearly stating your view. > > It should be adopted as a WG document.
I believe that too. I also believe that the document will benefit from reviews and comments. > > Please also indicate if you are willing to contribute text, review, etc. > > I am willing to review. Me too. When I read the current draft, I found too issues that will hopefully be fixed in the next revisions. The first issue is the deployment model. I believe that a very common model will be the connection by client hosts to a trusted recursive resolver. One has to "read between the lines" of the current draft to find how the considerations apply to this model. I wish we could have a more explicit discussion of that scenario. The other issue is the interaction with "firewall policies" in common use in enterprise networks. These policies include making internal sites available to hosts behind the firewall, but not outside it. They also commonly include barring access to a variety of "not safe for work" domains. Encrypted connections to a DNS server could traverse these firewalls, and bypass these policy controls. The issue is documented in CERT Alert (TA15-240A), "Controlling Outbound DNS Access," https://www.us-cert.gov/ncas/alerts/TA15-240A. We should address it. -- Christian Huitema _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
