On Mon, Mar 14, 2016 at 08:58:59PM -0700, Ben Campbell <[email protected]> wrote a message of 54 lines which said:
> I'm balloting yes, but I do have a few comments/questions: > > - 3.1, third paragraph: > This seems to put normative requirements on clients and servers that do > not implement this draft. If that is really needed, then perhaps this > needs to update the appropriate base spec(s)? Old (not implementing this draft) DNS clients and servers will not use port 853 at all so this paragraph means nothing to them. (That's one of the reasons to use a dedicated port, instead of the original method of "upgrade to TLS" on port 53.) > - 4 and subsections: > There seems to be a notable absence of a profile that requires server > authentication but does not require pinning. The way I see it, the profiles in draft-ietf-dprive-dtls-and-tls-profiles-00, another DPRIVE work item, are not defined by the techniques they use but by the security properties they have. That's why the profile in draft-ietf-dprive-dtls-and-tls-profiles-00, section 6, for instance, says "domain name - authentified by X.509 or DANE - or pin". _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
