On Tue, Jul 9, 2019 at 5:03 AM Sara Dickinson wrote:
> All,
>
> An updated version of draft-hzpa-dprive-xfr-over-tls has been submitted
> which contains much more detail on data flows, authentication mechanisms
> and other issues than the previous version.
>
> Feedback and review welcomed.
>
> Best regards
>
> Sara.
>
> Begin forwarded message:
>
> *From: *internet-dra...@ietf.org
> *Subject: **New Version Notification for
> draft-hzpa-dprive-xfr-over-tls-02.txt*
> *Date: *8 July 2019 at 18:27:36 BST
> *To: *"Sara Dickinson" , "Han Zhang" <
> hzh...@salesforce.com>, "Willem Toorop" , "Allison
> Mankin" , "Pallavi Aras"
>
>
> A new version of I-D, draft-hzpa-dprive-xfr-over-tls-02.txt
> has been successfully submitted by Sara Dickinson and posted to the
> IETF repository.
>
> Name: draft-hzpa-dprive-xfr-over-tls
> Revision: 02
> Title: DNS Zone Transfer-over-TLS
> Document date: 2019-07-08
> Group: Individual Submission
> Pages: 18
> URL:
> https://www.ietf.org/internet-drafts/draft-hzpa-dprive-xfr-over-tls-02.txt
> Status:
> https://datatracker.ietf.org/doc/draft-hzpa-dprive-xfr-over-tls/
> Htmlized:
> https://tools.ietf.org/html/draft-hzpa-dprive-xfr-over-tls-02
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-hzpa-dprive-xfr-over-tls
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-hzpa-dprive-xfr-over-tls-02
>
> Abstract:
> DNS zone transfers are transmitted in clear text, which gives
> attackers the opportunity to collect the content of a zone by
> eavesdropping on network connections. The DNS Transaction Signature
> (TSIG) mechanism is specified to restrict direct zone transfer to
> authorized clients only, but it does not add confidentiality. This
> document specifies use of DNS-over-TLS to prevent zone contents
> collection via passive monitoring of zone transfers.
>
>
4.1. AXFR Mechanism
"zone is update to date"
"update to" -> "up to"
4.2.
"forth step" -> "fourth step" (in several places)
4.3. Data Leakage of NOTIFY and SOA Message Exchanges
"This section attempts to presents a rationale"
"presents" -> "present"
6.2. TLS
Not sure that these are the right words. "surveillance" to me implies a
passive watching. Which means:
"passive surveillance" - is redundant, and
"active surveillance" - is a contradiction in terms.
I assume that "active" means sending packets to try to confuse the server
or client, which I would call an "attack" and not "surveillance".
Or am I wrong?
--
Bob Harold
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy