On 29/02/16 19:55, Joel Jaeggli wrote: > Joel Jaeggli has entered the following ballot position for > draft-ietf-dprive-edns0-padding-02: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dprive-edns0-padding/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > This is just something I want to discuss, it's not an objection... > > At this point we say: > > Implementations therefore > SHOULD avoid using this option if the DNS transport is not encrypted. > > If you did allow this on unencrypted dns transport this seems like it > serves as a utility function for DNS amplification. > > Wouldn't it be better to say MUST NOT? > > e.g. this is exclusively for use with TLS / DTLS supporting sessions?
If you're running your DNS over IPsec or an SSLVPN then using this might also be ok. So while a "MUST NOT use in clear" does seem like it might be correct, that's not the same as "MUST NOT except if using (D)TLS" S. > > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
