On Tue, Aug 16, 2016 at 01:05:40PM -0400, Warren Kumari <[email protected]> wrote a message of 38 lines which said:
> https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsodtls/ I've read it (the last version, -10) and, for me, it is OK, and ready to be sent to the next step. I would like to make it a bit shorter by deleting two sentences, "An active attacker can send bogus responses causing misdirection of the subsequent connection" in the abstract and "Active attackers have long been successful at injecting bogus responses, causing cache poisoning and causing misdirection of the subsequent connection (if attacking A or AAAA records). A popular mitigation against that attack is to use ephemeral and random source ports for DNS queries [RFC5452]." in section 1. Both are about an attack which is *not* mitigated by DNS-over-DTLS and these two sentences are clearly out of scope. (The relationship with DNSSEC, which solves these attacks, is already handled in section 1.1.) Otherwise, now that the well-knon port is not absolutely mandatory, I suggest to change "Once the DNS client succeeds in receiving HelloVerifyRequest from the server via UDP on the well-known port for DNS-over-DTLS" to "Once the DNS client succeeds in receiving HelloVerifyRequest from the server via UDP from the port used for DNS-over-DTLS". RFC 2119 mandatory flame war: "the DNS client may want to probe the server using DTLS heartbeat" May or MAY? _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
