>>>>> "BH" == Brian Haberman <[email protected]> writes:
BH> What I will ask now is that those who are interested in the current BH> draft to start providing detailed reviews ... The draft asks whether tls 1.3 should be the minimum version. It would be better for this document to specify >= 1.2. It will be much easier in the short term to add 1.2 support to existing machines than 1.3 and that would allow much more real testing during the draft state. The draft's choice to use DANE to authenticate the auth server seems to be the best option available. That it cannot be spoofed w/o altering the parent zone's DS RR is suficient. The happy eyeballs reference looks to be the right thing to do. The draft states: > If it is a concern that the same authoritative name servers are used > for ordinary DNS and for encrypted DNS, I don't know that should be, but if so it probably should discuss why some may find it to be a concern. I think we should discuss whether an EDNS option to signal a successful authentication or failure really is out of scope, as the draft says. The strict vs opportunistic paragraph looks exactly right. I'll let those with more time review whether any of the references need updating. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
