OK, done: https://github.com/tlswg/draft-ietf-tls-svcb-ech/pull/16 ________________________________ From: Salz, Rich <[email protected]> Sent: Monday, September 30, 2024 1:29 PM To: Ben Schwartz <[email protected]>; Eric Rescorla <[email protected]>; Paul Wouters <[email protected]> Cc: [email protected] <[email protected]>; <[email protected]> <[email protected]>; [email protected] WG <[email protected]> Subject: Re: [TLS] Re: [DNSOP] AD review draft-ietf-tls-svcb-ech
We could add a recommendation like "Clients using ECH SHOULD select a DNS resolver that they trust to preserve the confidentiality of their queries and return authentic answers, and communicate using an authenticated and confidential transport", We could add a recommendation like "Clients using ECH SHOULD select a DNS resolver that they trust to preserve the confidentiality of their queries and return authentic answers, and communicate using an authenticated and confidential transport", but this draft seems like an odd place for that text. When DNS SVCB has an ech entry, DNS is being used a little differently than your conventional DNS for ipaddress, since you can use TLS to authenticate what DNS told. For ECH you cannot. In other words, I think recommendation, or warning in security considerations, is exactly right for this document.
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
