Thank you for your WGLC feedback, and also to Petr for his DNSDIR review
and to Gianpaolo for his support of the draft (and the PoC implementation).
I would like to ask the WG participants who have read the draft
previously to review the changes and send their support or feedback on
the document to the mailing list.
Generally speaking, we cannot make progress on documents without the
WG's feedback. This was also raised during the closing of our DNSOP WG
Session I on Monday. We would like to speed up the pace of the
documents in the WG and need to do this together with you.
Thanks,
-- Benno
On 3/2/26 01:59, Stephane Bortzmeyer wrote:
On Fri, Feb 27, 2026 at 04:26:26AM -0800,
Benno Overeinder via Datatracker <[email protected]> wrote
a message of 38 lines which said:
This message starts a WG Last Call for:
draft-ietf-dnsop-structured-dns-error-17
Issue in section 3 :
"During the TLS handshake, the on-path network security device
modifies the certificate provided by the server and (re)signs it using
the private key from the local root certificate." I simply do not
understand this sentence. If, as said at the beginning of the
paragraph, "The DNS response is forged to provide a list of IP
addresses that points to an HTTP(S) server", there is no need to
modify the certificate, the TLS handshake is done entirely with the
"security device". The entire paragraph is messy, anyway, if the DNS
serves forged answers, the "security device" does not even need to be
on-path (unlike what the current text says).
Also, some small details:
Section 10.2 "Further, clients MUST NOT display the value of the "o"
field to the end-user unless one of the following conditions is met:"
The example in section 8 apparently does not meet any of these
conditions.
Section 1 "and additionally for parental control" Parental control
was already mentioned in the same paragraph.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
