Re: [TLS] [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

Thu, 29 Apr 2021 06:11:51 -0700 

Martin,

The IETF Last Call on this document has completed on the 20th of April 2021 but 
it is never too late of course.

I just added our security Area Directors in the loop so that know your question 
for their ballot due for next week.

Regards

-éric



-----Original Message-----
From: dns-privacy <dns-privacy-boun...@ietf.org> on behalf of Sara Dickinson 
<s...@sinodun.com>
Date: Thursday, 29 April 2021 at 14:52
To: Martin Thomson <m...@lowentropy.net>
Cc: DNS Privacy Working Group <dns-priv...@ietf.org>, "tls@ietf.org" 
<tls@ietf.org>
Subject: Re: [dns-privacy] Martin Duke's No Objection on 
draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)



    > On 29 Apr 2021, at 01:09, Martin Thomson <m...@lowentropy.net> wrote:
    > 
    > On Wed, Apr 28, 2021, at 20:27, Sara Dickinson wrote:
    >> An early version of this specification proposed a XoT specific ALPN in 
    >> order to distinguish this from a connection intended to perform 
    >> recursive to authoritative DoT (often called ADoT). ADoT is not yet 
    >> specified, but is the subject of ongoing discussions in DPRIVE. The 
    >> working group rejected this idea for XoT and switched to the current 
    >> spec which does not use an ALPN at all. 
    > 
    > No new protocol should use TLS without ALPN.  It only opens space for 
cross-protocol attacks.  Did the working group consider this possibility in 
their discussions?

    What the working group asked for following the ALPN discussion was that the 
document contain a description of the options an authoritative nameserver that 
supports XoT can use to manage TLS connections and the queries received on 
those connections  - that is provided in Appendix A: 
https://tools.ietf.org/html/draft-ietf-dprive-xfr-over-tls-11#appendix-A

    As more context, the document also covers various existing mechanisms that 
can be used to manage zone transfers (including IP ACLs and TSIG) and how they 
combine with Strict and Mutual TLS authentication. The document specifies that 
the server MUST use either an IP ACL or mTLS to authenticate the XoT client. 

    Regards

    Sara. 

    _______________________________________________
    dns-privacy mailing list
    dns-priv...@ietf.org
    https://www.ietf.org/mailman/listinfo/dns-privacy

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to