On Sun, Oct 23, 2022 at 10:45 PM Daniel Migault <mglt.i...@gmail.com> wrote:
> While TLS gives you privacy, > >> the DNS Update cannot be done with only TLS (as far as I understand it). >>> >>> please develop, but just in case, we do not use dns update to >>> synchronize the zone. we use AFXR/IXRF over TLS define din XoT. >>> >> This to me was not clear and a missed reference by me. While you name RFC9103, the text states: DNS over TLS: indicates the support of DNS over TLS as described in [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 <https://datatracker.ietf.org/doc/html/rfc9103>]. I should have looked more closely at the references, and I would have realized 9103 is about DNS XFR over TLS. That document indeed explains that XoT uses mutually authenticated TLS which provides the authentication for the XFR streams. My suggestion: Current: DNS over TLS: indicates the support of DNS over TLS as described in [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 <https://datatracker.ietf.org/doc/html/rfc9103>]. New: DNS Zone Transfer over TLS: indicates the support of DNS Zone Transfer over TLS as described in [RFC9103] The reference to RFC7858 is misleading - it only deals with stub to recursive. If you think stub to recursive is in scope, it might be better to use two DHCP options as these two things seem to be very separate protocols (that just both happen to use DNS and TLS) > >> So you are going against the RFC 5936 SHOULD. >> >> I even had to look this up because I didn't know you could do an AXFR as >> a secondary >> from a primary without DNS level authentication. Apparently you can, but >> you SHOULD not. >> >> That is what we do. TLS provides enough security to replace TSIG / SIG(0). > Reading 9103 made that clear to me now, but the text in the document did not. Perhaps that can be stated more clearly ? Paul
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
