Re: [dns-privacy] Ben Campbell's Yes on draft-ietf-dprive-dns-over-tls-07: (with COMMENT)
Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 15 March 2016 14:15 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4AA812DA93; Tue, 15 Mar 2016 07:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ej7nI2582WJ1; Tue, 15 Mar 2016 07:15:22 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 475E812DA92; Tue, 15 Mar 2016 07:15:20 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 4BBB8280638; Tue, 15 Mar 2016 15:15:18 +0100 (CET)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx4.nic.fr (Postfix) with ESMTP id 44A1C2804DA; Tue, 15 Mar 2016 15:15:18 +0100 (CET)
Received: from bortzmeyer.nic.fr (unknown [IPv6:2001:67c:1348:7::86:133]) by relay1.nic.fr (Postfix) with ESMTP id 42C014C0036; Tue, 15 Mar 2016 15:14:48 +0100 (CET)
Date: Tue, 15 Mar 2016 15:14:48 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Ben Campbell <ben@nostrum.com>
Message-ID: <20160315141448.GA24783@nic.fr>
References: <20160315035859.11533.34536.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160315035859.11533.34536.idtracker@ietfa.amsl.com>
X-Operating-System: Debian GNU/Linux stretch/sid
X-Kernel: Linux 4.3.0-1-686-pae i686
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/CJ5oNHX4Ny2agIOIVEtw3i4_lQo>
Cc: tjw.ietf@gmail.com, allison.mankin@gmail.com, draft-ietf-dprive-dns-over-tls@ietf.org, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org, dns-privacy@ietf.org
Subject: Re: [dns-privacy] Ben Campbell's Yes on draft-ietf-dprive-dns-over-tls-07: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 14:15:35 -0000
On Mon, Mar 14, 2016 at 08:58:59PM -0700, Ben Campbell <ben@nostrum.com> wrote a message of 54 lines which said: > I'm balloting yes, but I do have a few comments/questions: > > - 3.1, third paragraph: > This seems to put normative requirements on clients and servers that do > not implement this draft. If that is really needed, then perhaps this > needs to update the appropriate base spec(s)? Old (not implementing this draft) DNS clients and servers will not use port 853 at all so this paragraph means nothing to them. (That's one of the reasons to use a dedicated port, instead of the original method of "upgrade to TLS" on port 53.) > - 4 and subsections: > There seems to be a notable absence of a profile that requires server > authentication but does not require pinning. The way I see it, the profiles in draft-ietf-dprive-dtls-and-tls-profiles-00, another DPRIVE work item, are not defined by the techniques they use but by the security properties they have. That's why the profile in draft-ietf-dprive-dtls-and-tls-profiles-00, section 6, for instance, says "domain name - authentified by X.509 or DANE - or pin".
- [dns-privacy] Ben Campbell's Yes on draft-ietf-dp… Ben Campbell
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Stephane Bortzmeyer
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Stephane Bortzmeyer
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Ben Campbell
- Re: [dns-privacy] Ben Campbell's Yes on draft-iet… Sara Dickinson