On Mon, Mar 14, 2016 at 08:58:59PM -0700, Ben Campbell <[email protected]> wrote a message of 54 lines which said:
> There seems to be a notable absence of a profile that requires > server authentication but does not require pinning. I assume there's > a good reason for that which is obvious to people with stronger TLS > and/or DNS backgrounds than mine. But it might be helpful to say > why. I don't have a clear response here. Re-reading draft-ietf-dprive-dns-over-tls-07, I find that the profile in 4.2 is defined by a technique (pinning) not by its privacy properties. Is it a good idea? > Do (or should) the profiles have anything to say about clear-text > fallback if a client cannot connect to the server's DNS-over-TLS > port, or the TLS handshake fails? I infer that such fallback should > not occur with the pinned profile, but what about the opportunistic > profile? I don't want to reopen discussions on draft-ietf-dprive-dns-over-tls-07 but may be we can improve it for draft-ietf-dprive-dtls-and-tls-profiles-00: its definition in section 5 does not address this issue. May be have two opportunistic profiles, one with fallback to clear text if necessary and another without? _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
