On Fri, 30 Oct 2020, Paul Hoffman wrote:
Greetings again. Based on the list discussion of the -00 draft, I have revised
the draft with the use case and a proposed method for opportunistic encryption
of recursive-to-authoritative communication. The new draft more clearly
delineates what is use case and what is the proposed method, simplifies the
proposed method, and is clearer where the overlap will be if the WG adopts a
use case and method for authentication-required communication.
Please see
https://tools.ietf.org/html/draft-pp-recursive-authoritative-opportunistic-01
This isn't a WG document yet, but if the WG wants it, I think it could work
well within the charter, and with the discussion of
draft-ietf-dprive-phase2-requirements.
I still believe the cost of authenticating a DNS(SEC) server is so low
these days (with ACME available at no cost and with full automation)
that this draft is better not done.
One thing that stands out:
The recursive resolver MAY note the
authentication failure and act on it (such as by logging it or noting
it in the cache), as long as the failure does not prevent the TLS
session from completing.
I believe what is meant here is certificate validation (identity
authentication) and not (session) authentication. For example, an attack
modifying the TLS handshake parameters would lead to an authentication
failure and such a failure MUST NOT be ignored.
The Transport Cache section should probably mention negative cache
too. That ia,s clarify that the cache is used not only positive TLS
authentication information but also the lack there of.
I'm not sure why the AUTHINFO section was removed?
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
