Hi All, Here is an update to the draft which attempts to address the majority of the comments received during IESG review so far. Given the number and extent of the changes I would request further careful review of this version, particularly from the working group.
Changes are: * Clarified the specific attacks the Usage Profiles mitigate against. * Revised wording in the draft relating to 'security/privacy guarantees’ and generally improved consistency of wording throughout the document. * Corrected and added a number of references: - RFC7924 is now Normative - RFC7918 and RFC8094 are now Normative (and therefore Downrefs) - draft-ietf-tls-tls13, draft-ietf-dprive-padding-policy,RFC3315 and RFC7227 added * Terminology: Update definition of Privacy-enabling DNS server and moved normative definition to section 4. * Section 5 and 6.3: Included discussion of the additional attacks possible when using meta-queries to bootstrap the DNS service * Section 5: Added sentence on why Opportunistic Profile may fallback for latency reasons. * Section 5.1: Added discussion of when clients might change Usage Profiles. * Section 6.4: Added caveat on use of combined authentication re RFC7469. * Section 6.5: Added more detail on how authentication results might be used in Opportunistic. Opportunistic clients now SHOULD try for the best case. * Section 7.3: Re-worked this section and the discussion of DHCP. * Section 9: Removed unnecessary text, added condition on use of RFC7250 (Raw public keys). * Section 11.: More detail on padding policies. * Numerous editorial corrections. Regards Sara. > On 16 Jun 2017, at 09:49, [email protected] wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the DNS PRIVate Exchange of the IETF. > > Title : Usage and (D)TLS Profiles for DNS-over-(D)TLS > Authors : Sara Dickinson > Daniel Kahn Gillmor > Tirumaleswar Reddy > Filename : draft-ietf-dprive-dtls-and-tls-profiles-10.txt > Pages : 29 > Date : 2017-06-16 > > Abstract: > This document discusses Usage Profiles, based on one or more > authentication mechanisms, which can be used for DNS over Transport > Layer Security (TLS) or Datagram TLS (DTLS). These profiles can > increase the privacy of DNS transactions compared to using only clear > text DNS. This document also specifies new authentication mechanisms > - it describes several ways a DNS client can use an authentication > domain name to authenticate a (D)TLS connection to a DNS server. > Additionally, it defines (D)TLS protocol profiles for DNS clients and > servers implementing DNS-over-(D)TLS. This document updates RFC > 7858. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-10 > https://datatracker.ietf.org/doc/html/draft-ietf-dprive-dtls-and-tls-profiles-10 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dprive-dtls-and-tls-profiles-10 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
