Hi Brian,
> On Mar 8, 2016, at 7:38 AM, Brian Haberman <[email protected]> wrote: > > > I am a definite Yes on this work, but just have a couple of comments... > > * Section 3.1 says "By mutual agreement with its server, the client MAY, > instead, use a port other than port 853 for DNS-over-TLS. Such an other > port MUST NOT be port 53..." It would be useful to *briefly* explain the > MUST NOT. If it is by mutual agreement, what's the harm? This text was recently added during a review of 5966bis (DNS-over-TCP) where there was a concern that neither that nor this document said anything about not mixing cleartext and ciphertext. I suppose another reason is that middleware boxes might want to "inspect" port 53 and TLS over port 53 will fail. Would you be okay with adding this sentence or similar? Use of port 53 for DNS-over-TLS is prohibited because mixing cleartext and ciphertext can result in false privacy. > > * Section 3.2 uses the SPKI acronym before it is expanded in section > 4.2. Fixed. > > * I do not understand the last sentence of section 3.2, especially the > "SHOULD". You are referring to this sentence: At this point, normal DNS queries SHOULD take place. I believe it is sort of an artifact from the time when the draft included a "STARTTLS for DNS" option whereby an unencrypted TCP connection could be upgraded. Dropping the sentence is fine with me. DW _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
