Hi All, This draft is now ready to progress once a -12 version is available. I just want to circle back round to summarise the fact that the only proposed difference that will be in the -12 version compared to -11 is the following (in section 7.2. Direct configuration of ADN only):
Current text: “It can then use Opportunistic DNS connections to an untrusted recursive DNS resolver to establish the IP address of the intended privacy- enabling DNS resolver by doing a lookup of A/AAAA records. Such records SHOULD be DNSSEC validated when using a Strict Usage profile and MUST be validated when using Opportunistic Privacy." New text: “It can then use Opportunistic DNS connections to an untrusted recursive DNS resolver to establish the IP address of the intended privacy- enabling DNS resolver by doing a lookup of A/AAAA records. A DNSSEC validating client SHOULD apply the same validation policy to the A/AAAA meta-query lookups as it does to other queries. A client that does not validate DNSSEC SHOULD apply the same policy (if any) to the A/AAAA meta-query lookups as it does to other queries." I hope I captured the consensus correctly? Please let me know as I intend to put out the -12 (final) version next Monday (20th). Sara. > On 31 Oct 2017, at 16:12, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > On 31 Oct 2017, at 8:06, Sara Dickinson wrote: > >> So maybe “A DNSSEC validating client SHOULD apply the same validation policy >> to the A/AAAA meta-query lookup as it does to other queries.”? > > That could be misinterpreted to indicate that there has to be some positive > validation policy. How about: > A DNSSEC validating client SHOULD apply the same validation policy > to the A/AAAA meta-query lookup as it does to other queries. > A client that does not validate DNSSEC SHOULD apply any policy it > has to the A/AAAA meta-query lookup. > --Paul Hoffman _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
