On 15 Mar 2016, at 9:14, Stephane Bortzmeyer wrote:
On Mon, Mar 14, 2016 at 08:58:59PM -0700,
Ben Campbell <[email protected]> wrote
a message of 54 lines which said:
I'm balloting yes, but I do have a few comments/questions:
- 3.1, third paragraph:
This seems to put normative requirements on clients and servers that
do
not implement this draft. If that is really needed, then perhaps this
needs to update the appropriate base spec(s)?
Old (not implementing this draft) DNS clients and servers will not use
port 853 at all so this paragraph means nothing to them. (That's one
of the reasons to use a dedicated port, instead of the original method
of "upgrade to TLS" on port 53.)
Does this mean old servers cannot be configured to use 853 as an
alternative port? (Then why have the normative language in the first
place.)
- 4 and subsections:
There seems to be a notable absence of a profile that requires server
authentication but does not require pinning.
The way I see it, the profiles in
draft-ietf-dprive-dtls-and-tls-profiles-00, another DPRIVE work item,
are not defined by the techniques they use but by the security
properties they have. That's why the profile in
draft-ietf-dprive-dtls-and-tls-profiles-00, section 6, for instance,
says "domain name - authentified by X.509 or DANE - or pin".
Normally it would seem to me that the choice between authenticating and
not authenticating changes the security properties in at least some
situations. I can imagine configuring a host to use Google's DNS service
because I did not want my ISP to see my DNS traffic, but not going to
the trouble of pinning the certificate.
OTOH, It just occurred to me that I don't recall the draft talking about
what name validation. (Maybe I missed or forgot it; I don't have the
text in front of at the moment.) Depending on the choices there, (and
assuming there's not much choice for DNS servers), I can see how
non-pinned authentication might not add much.
Ben.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
