On Nov 4, 2020, at 1:10 AM, Brian Dickson <[email protected]> wrote: > >> On Tue, Nov 3, 2020 at 6:15 PM Paul Hoffman <[email protected]> wrote: >> Greetings again. I really like many of the changes in >> draft-ietf-dprive-phase2-requirements-02 and think that it gets closer to >> what we want for requirements. One of the requirements seems unnecessary, >> however. >> >> 7. The authoritative domain owner or their administrator MUST have >> the option to specify their secure transport preferences (e.g. >> what specific protocols are supported). This SHALL include a >> method to publish a list of secure transport protocols (e.g. >> DoH, DoT and other future protocols not yet developed). >> >> If the WG does with DoT and/or DoQ, you can discover the server's >> capabilities by probing port 853 and TBD-Q, or maybe by finding TLSA >> records. There is only a need to "publish" a list of secure protocols if >> they include DoH or DoHoQ. >>
> No, this is not accurate, and highly misleading. I am not casting aspersions > on your intent, merely calling out the correctness of the argument. The phrase "highly misleading" does indeed cast aspersions. > The prevention of downgrade attacks requires publication of servers > capabilities and intents, including prefered or offered protocols. > This includes DoT. The prevention of downgrade attacks is not needed for the use case that has been described so far (opportunistic encryption). It is only needed for the use case that has not been described (failed DNS resolution when authentication is not possible). --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
