Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On Tue 2017-11-14 12:04:19 +0100, Sara Dickinson wrote:

> This draft is now ready to progress once a -12 version is available. I
> just want to circle back round to summarise the fact that the only
> proposed difference that will be in the -12 version compared to -11 is
> the following (in section 7.2. Direct configuration of ADN only):
>
> Current text:
>
> “It can then use Opportunistic DNS connections to an untrusted recursive
>    DNS resolver to establish the IP address of the intended privacy-
>    enabling DNS resolver by doing a lookup of A/AAAA records.  Such
>    records SHOULD be DNSSEC validated when using a Strict Usage profile
>    and MUST be validated when using Opportunistic Privacy."
>
> New text:
> “It can then use Opportunistic DNS connections to an untrusted recursive
>    DNS resolver to establish the IP address of the intended privacy-
>    enabling DNS resolver by doing a lookup of A/AAAA records. A 
>    DNSSEC validating client SHOULD apply the same validation policy
>   to the A/AAAA meta-query lookups as it does to other queries.
>   A client that does not validate DNSSEC SHOULD apply the same policy (if any)
>   to the A/AAAA meta-query lookups as it does to other queries."
>
> I hope I captured the consensus correctly? Please let me know as I
> intend to put out the -12 (final) version next Monday (20th).

The text looks good to me.  thanks for taking care of this, Sara.

    --dkg