Re: [TLS] [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 29 April 2021 13:11 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FCC63A3E22; Thu, 29 Apr 2021 06:11:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.618
X-Spam-Level:
X-Spam-Status: No, score=-9.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=JasVIlgb; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=VOFYtGF5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhcpl_60JIjo; Thu, 29 Apr 2021 06:11:21 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FCA13A3E21; Thu, 29 Apr 2021 06:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3166; q=dns/txt; s=iport; t=1619701881; x=1620911481; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=PoAY2Xg7ZzImwQs98JRUT++T86dm2l3cIwsG1rudUcI=; b=JasVIlgbelKUixswUKruDAyVsZyh1dUJCZ7S3OMxMQfbl8mah7OWGCyY rcbNGCbpvEaM9HiOpWc6GeNVHTPw7ceXii6ohksxmc2DJPrWDq1wyFv2q 4rwfOMuXoIIDuHvG4wZUEBPIUFBPJY58Z1zOosp6b9I/9YwFodgQl4kbz k=;
X-IPAS-Result: =?us-ascii?q?A0DsAQC8r4pgmIQNJK1aHAEBAQEBAQcBARIBAQQEAQFAg?= =?us-ascii?q?VeBUyMuflo2MYREg0gDhTmIcgOZTYJTA1QLAQEBDQEBHQ0IAgQBAYRQAheBZ?= =?us-ascii?q?AIlOBMCBAEBAQMCAwEBAQEBBQEBAQIBBgQUAQEBAQEBAQFohVANhkQBAQEDA?= =?us-ascii?q?QEBIREMAQEsCwELBAIBCBEDAQIBAgImAgICJQsVCAgCBAEJBAWCcQGCVQMOI?= =?us-ascii?q?QEOniUCih96gTKBAYIEAQEGBASFKhiCEwMGgRAqgnmEC4Jdg3YnHIFJQoEVJ?= =?us-ascii?q?xyCXz6CYAEBAgGBRYMvNoIrghN1JgRRAlsFOEVOkViDEItQmx0KgxCJdockj?= =?us-ascii?q?BAFIaUclSqLfpJJhRQCBAIEBQIOAQEGgWshgVtwFTsqAYI+UBcCDo4fDA0JF?= =?us-ascii?q?YM5hRSFSXM4AgYBCQEBAwl8jBMBAQ?=
IronPort-PHdr: A9a23:dtlJVBz9mdesLozXCzMpngc9DhMPsqjoPgMT9pssgq5PdaLm5Zn5I UjD/p1Fl17PWonG7bRPjO+F+6zjWGlV55GHvThCdZFXTBYKhI0QmBBoG8+KD0D3bZuIJyw3F chPThlpqne8N0UGA8f4YFHPpDu56jtBUhn6PBB+c+LyHIOahs+r1ue0rpvUZQgAhDe0bb5oa husqgCEvcgNiowkIaE0mXP0
IronPort-HdrOrdr: A9a23:RVKfaq69iqK175y7ZQPXwdmFI+orLtY04lQ7vn1ZYSd+NuSFis Gjm+ka3xfoiDAXHEotg8yEJbPoexLh3LZPy800Ma25VAfr/FGpIoZr8Jf4z1TbdRHW3tV2kZ 1te60WMrLNJHBxh8ri/U2cG9Ev3NGI/MmT9Jjj5l1GJDsaDJ1IxQF/FwqdDwlXaWB9dNoEPb Cb4ddKoCflXHwRYNiyCHVtZZm8m/TgkpX6bRkaQyM94A6Vgj+yrJL8GR6U3hAROgk/gosK22 7DjgD/++Gfo+i2oyWsllP7wrZ3vJ/aytVFDNGRkcR9EFXRoyuheYgJYcz4gBkbu+eqgWxa9e XkgxBlBMhr7mOUQ2fdm2qQ5yDF8BIDr0Dv0kWZh3yLm726eBsfB9BajYxUNjv1gnBQxu1U66 5A02KHu5c/N3qp906Ri6mqJnNXv3G5rnY4nekYg2Y3a/piVJZqsYcd8ElJea1weh7S1YE9HO FiSOHa6fpGGGnqF0zxg2h1zNSgGkk0BxeNK3Jyw/C97j4+pgEc82IogOgk2lsQ/pM0TJdJo8 7eNL5zqb1IRsgKKYpgGeYoW6KMeynwaCOJFFjXDUXsFakBNX6IgYXw+q8J6Oajf4FN5Icuma 7GTEhTuQcJCgbTIPzL+KcO3gHGQW27Uzio4NpZ/YJFtrr1Q6euFiGfVlY0kY+Fr+8ECsPWH9 a/UagmRMPLHC/LI8Jkzgf+U55dJT01S8sOoOs2XFqIv4bFMYvvuuvHcOvCJbbkHDo+M1mPW0 crbXzWHoFt/0qrUnj3jFz6QHX2YHHy+pp2Dezb8oEoudAwH7wJljJQpUWy58mNJzEHmLcxZl FCLLTulb7+oWG3+G3P/nh4IxY1NDcP3JzQF1dx4SMaOUL9drgO//+Ff3pJ4XeBLhhjC8XMEA BeoFxz8bmtL4OZwD0jD97PCBPds1Ij4FaxC7sMkKyK4snoPrkiCIw9ZaB3HQLXUwBulR1ys2 dFYg8cTkrZHjfj4J/V1qA8NaX6TZ1RkQ2rKclbpTbjrk2av9goXWZedSWpS9SrjQEnQCd0il V9/7QEuqeJnS+iJAIE8bkFGWwJTF7SIbpdSCyZeY1fm9nQCXBNZFbPoQbftjYeVS7B8V4Iim noMCuOEMu7cmZ1izR/yabl8FR9a2OHWVl/A0oK7bFVJCDhpmt51/ONa+6V1WacA2FynN01AX XifSYYJB9oypSM8COt3ByGFXkg2/wVT7PgJbw+brDe3W6sIoWUlacAW+RZ5ophKcqGiJ54bc uCYQOPaDv3B+Q1sjbl1UoNKW16rmIpnujv3wCg5G+k3GQnCf6XO1h+QaoHSuvso1TMVrKN0J 9ji8gysvb1OmLtasSewaW/VU8IFjrD5Wq3Rfovs5ZaoOY7s6ZyBYDSVX/N2Gtc1BszaMfym0 V2etU33JnRfotuddcVYSRX4x4gk8mONlIitkjuGfAlFGtdxkPzLpeM+f7FuLAvCkqOqE/5Pk Se6TRU+7PAUzGY3bAXBqosKQ1tGQcBwWUn+PnHe5zbCQ2see0G5la8P3OneLJWSaSOG9wr31 1HysDNm/XSezvz2QjWszc+P7lH9Hy/R9iuRA2LAuxF/rWBSBqxq7rv5NT2ijj5STG2MRtFwY JEcFEddcRFhH0pipYt3i27V6zwpQYknjJlkEZav0+o3pLj5mHRWVxCO0nehJ5dWDFIKHiGjc jf64GjpTzAySkA3YOGDVtae9FFBsMZQYf2JTp/MMR4hs/dw4M/xiBYJAo0B2EyiDrhz/pr0L ew1vLVQfDjAx7TSCQ80C8AAJV1kCwtoXxBdMb77YvVWHRjKtI1
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,259,1613433600"; d="scan'208";a="705926841"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 29 Apr 2021 13:11:20 +0000
Received: from mail.cisco.com (xbe-aln-004.cisco.com [173.36.7.19]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 13TDBKBT019382 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 29 Apr 2021 13:11:20 GMT
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xbe-aln-004.cisco.com (173.36.7.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 29 Apr 2021 08:11:19 -0500
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 29 Apr 2021 08:11:19 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Thu, 29 Apr 2021 08:11:19 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=notH1MfCup7MrdJwfyIiVY5wniG9hSDywW2mx0jKM8toe5DGQIt/vv/MDriQnD04NL7G/aNv2TTAx54rKj/inB/wwKYJE3o44VQXDWXXC7nASzBa+diKfUuHwjTe+zSy/siAmoTMJ6jN+6Wh5hlzB76NOYH8ARwlunO4Uw49Mrt/mQILbgbz4FJCpoEjix55N0KC4WJBHFmHlhAfGQa7G+gMLlq990sXhfEsH04tOaUccquelSX30dnksH41WPmuzw9rLWwfLJFYiAP3/y6dCMnvRtDIlH86rcy2QytaSuTC4ucFS3mDw37/iTHrULtteUCygf3YZnsmH5md5dXQhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PoAY2Xg7ZzImwQs98JRUT++T86dm2l3cIwsG1rudUcI=; b=ka2gm83Gx3EMrvX3Haspk6pu0wXF1RzWaZf4S0eojwtdTYpZ1xFhslvO2F8OEmftkVl0zpzhmBkp0IYCOhuRuwzJanFZD1BfBTVrX+mSrRS7PpFVRZROp6AQU3oLd1zJjFgUqARmOsUyd34DgHpJVFeYTCvX59F3zu/SBaG29e0ArDI01/pR182T+1mtFG/AmFOitMvn62LDdf8Ig9aeGTzs8CYtLbndP5eQiaJVjNj6c8QWyoWGKM4i908aeH5xyFpvjTJ9B7SP6Aye27uoL/kr/wYM45T78uZ5KHVj/Z9+PmvQlSsGRhHQvLqbeuwOYrGN66pzaHpcP4ZJOPiTpQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PoAY2Xg7ZzImwQs98JRUT++T86dm2l3cIwsG1rudUcI=; b=VOFYtGF5YOwMOlYXXqyU2143y2ecrymWr+j4qhKAR+bwFcMLq7ZYWgHTfd3e9qd2rdMUXjwH68A+0oVHRhuqwT8ago+aHRokHIv2gyxCeXzMBvhyE1XPs4sfNx7aOKZaUJqd0h6AE2IjKFhEa4FpTMV8XjFNy6bQpYfLRm3r0ME=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB4824.namprd11.prod.outlook.com (2603:10b6:510:38::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25; Thu, 29 Apr 2021 13:10:04 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::dcdf:3910:b85d:6eba]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::dcdf:3910:b85d:6eba%7]) with mapi id 15.20.4065.026; Thu, 29 Apr 2021 13:10:04 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Sara Dickinson <sara@sinodun.com>, Martin Thomson <mt@lowentropy.net>
CC: DNS Privacy Working Group <dns-privacy@ietf.org>, "tls@ietf.org" <tls@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Roman Danyliw <rdd@cert.org>
Thread-Topic: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
Thread-Index: AQHXPPZ3du6M8qgvhEu9xzBJQHN1marLmYoA
Date: Thu, 29 Apr 2021 13:10:04 +0000
Message-ID: <C4C21529-26F8-47C6-BB6A-DDD7D019AF06@cisco.com>
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <E6EA2360-CC95-4805-AC90-61C8B294B9BB@sinodun.com>
In-Reply-To: <E6EA2360-CC95-4805-AC90-61C8B294B9BB@sinodun.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21041102
authentication-results: sinodun.com; dkim=none (message not signed) header.d=none;sinodun.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:8d6f:bb3b:ca9a:1aef]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fdf32302-0d6c-4ecf-eae1-08d90b101add
x-ms-traffictypediagnostic: PH0PR11MB4824:
x-microsoft-antispam-prvs: <PH0PR11MB48248E824A25E500D9BA93E4A95F9@PH0PR11MB4824.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wO0F83VoMCVQjU7I5DQzVUr5+tQhKGPv+hCsQjh1Ng9z2aND5zoeH3EUONC6lrHi/NpEIV5INhMhGubwnjBHFbbe3hQ8nY9Hh7tO97LvrmQfOgq+SW4JqEmdmY6v9CkDP2vOjF7iIAMMR8j1O4CWBh3mWhYl1YfI99i0hgduZDwnXLu1v0LqogKLkC2kkLUygsaw/xzVUOkJ2jJWYxv1Q3kk3g4DXX9yUIuANXsgOlH0XSkpp8WEtIPUv2CAA12NMMd4QDWOfHHB/XTKSJkgxGa7c+H8evnj4ArVFFjTxXJ2/TeaJchx5Ygw3T5a+qxr9//mo0yZXEPLLeTfoJARTKmgMukXatL0hZb0xQ8aT7gqCTWvXqeST2lx4NrCzTOWIxlSv18P70kUkUqISiPhnKkNCiZ51HEqBIsI8MIZ+UCUkwZ+sUPlPCFn1yXiQmkpU/XIX0dEl0wTWyFfY5yoHqd/hVxtFhS8YoHQPI/7W7h4TapOnj0BOKHv48d5DGuANdbmIZLZ3lpzBBRfmyxfsnuvnsuBpE3xAEJD15tiKUIgufW266nRIaW4xjLTQum3MG8dUF2iFThc1A3NL6kiC+vIv6VuJTBNR5u0GJ3iabBGi4hzqnD7GHv/nxAVCQE+FZmHHDe/iT/zvy0KBlYOC51gMkZ/rh7l2gCa8zA6/i4Jn9LLS8s4TYZcG1us45ZqRfeXq49bGWixElumMRwGcbM54JepQu5RfakJMlpLKGQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(346002)(39860400002)(136003)(396003)(366004)(66556008)(64756008)(53546011)(71200400001)(2906002)(6506007)(76116006)(316002)(2616005)(478600001)(66446008)(36756003)(4326008)(66946007)(54906003)(66476007)(110136005)(8676002)(186003)(6512007)(8936002)(86362001)(966005)(38100700002)(91956017)(6486002)(83380400001)(122000001)(5660300002)(33656002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?ZXNuZ0l5d0NFdnc4NnAzYXAxcFJHQXFUU25ZUmZlVFJISzlmY1h1bUhSOGNB?= =?utf-8?B?ZHc3T3UxMmM5UGVaV3R3WWRqR3h5aXg2S1hndVNHb0RrVjlMMExRY2FFY2s2?= =?utf-8?B?OVdkYzhFSlBEazRtQ3JheTFOUGxZbHJVTWw5dDZHUUxGWkV5bEdoVjM4ODJh?= =?utf-8?B?Qmt0L1JQR2FYd25vM2hGUTRzWEZlS08vQVA0QzFxSmhjQXh0N3l0aVEvQ3pU?= =?utf-8?B?UFJyUFp2ZUE1WjhxRUYwYXBOS3V4TmEyYzIzUzJJZURUeERWaWE4Tk51QTZS?= =?utf-8?B?b3J1NUNMMnREMm5kdkwvSHdBd0JTUFkzcHkxOUg4cXZtN2dKQ1ZHTjByU1Rj?= =?utf-8?B?VjFPdndoU1p5SU0wVk1MZjRKeTYvMkNXd1NkaGxBMTlQSloxMjZQL2NHVTg1?= =?utf-8?B?YWRrWXBVcE9JRDdVcDU0Rlh1R01QL2VQSnVPZGpwUUFtUHNZRjJVbzY0a0xP?= =?utf-8?B?cHNGS3NCR3EvT0VRbXNZa1p5SFJ1MDlBQisxZUNPUERxM25HT2N5Q1J6aFRn?= =?utf-8?B?UEh1NXlyZUlMNHZsUVJ1bCtOa2ZJQzFqR2Q0ZkRlNVFZTjZWc0l1eFEza2pZ?= =?utf-8?B?WkVZMWloUnpodFo4RnRnS25UZWFKYkoxNC9CVExvTys1ME8weHNaV1ZnaWtP?= =?utf-8?B?bGVQeDhudm5RTzdOck4xalFkbFJWSFRYQ3Zxdm5hazRpOTE2S2pOLzVxdHRv?= =?utf-8?B?M3FHeVYvL2YxdGhPU3RaQ1ZiUk5SNCs2U2Zhb3Y0UTdEQTdlR3Z0dStPYjBt?= =?utf-8?B?ZTVHSEpQOE9MeFh0Q0FGZk9YVS82blM1WjhDZHZVUEZQb1lVS0hOSGVFak44?= =?utf-8?B?WGlLUU55MU8yN1ppajF6VTdwQVB2M0ZHT1RaRlU0dUNlVUVYa0VCdWJKR0sw?= =?utf-8?B?dVZhR1lVR0lhUmpJTnNaa08yOUg4cklIYm0vRDJtS2czR2o0aTFuRHkvQUVk?= =?utf-8?B?K085WklHTU5MYWlCZ1dpcmVnMXJ2OCtJM2pzNVgxK1ltdGtqWVJvbmNSMjVx?= =?utf-8?B?MmJrQlpsTG1POE1sd2pZd1RSaDBQR0djRjd3TmN5b3U1MmRyL3BkU2lBNm5r?= =?utf-8?B?L0NYVUkyWEZGNy9pUXZVWms4eXlQaVY4ZXovdWUxK3BCV0VjRkxkcWM0OTMv?= =?utf-8?B?c3JYcFJ6RFhrSCtVSlNEU2tEZnJ0U3k3KzhYQXlLL1E0WUxnZy9hNGpTN280?= =?utf-8?B?aFlLdVQvMWtjU0lvL0hpRWRaaC85UlNBNitlRWVERDQ1cEQ1c0RlSWZIcjVV?= =?utf-8?B?WTJHSmxYSTgwU3BkN0tvc0hvSnRSengrVmoyb3pySWt2eTdtMlpMQ3JiWEl4?= =?utf-8?B?WG0zWmFWQU9la3p1UkUwa1RLVjhDYmk0U3BXWll4MDhIM3dTUHlObnhxVjNt?= =?utf-8?B?cFJ6bHUzU0ZqU1pOV0FnNHh5RTRvdFZMWEcvVzdkcGU0RnBMaU51NG9Zdk84?= =?utf-8?B?VnVYOUdxQkt0Z1pkck1nSENsVTliTjBMOUNSVTFoSmx2akl0bjArdi9IbFc0?= =?utf-8?B?RU1sdnpxNjNFT0NvTUpRcFJlVkw4ZGdkL3BVMEVTdmZNZGtxWWxJcDNxcWcv?= =?utf-8?B?RmZTeEdqb2JCK0Jydm90UTA2Wm5PNzBkVnhYZWg4TGRrVDlZQmgwamN3U3Ri?= =?utf-8?B?QzNUbTA4TXJYUU5UbDBEcVZYUnF3LzJwT3B2ZWlCTk9BQjdXOHMzVFdRdkhk?= =?utf-8?B?T0tSdnhqcmhZcVo3UUpvT0ZyNE12aU9zeWZidXAxSHBFMHhFVis5dWhZM1Iv?= =?utf-8?B?Z3VFTFhLRzh0bE1xZlhuS2dwTGQ1N2sycmxydzJTZW4yQ0JNQTI4ckxSeGdC?= =?utf-8?B?bzR4OG8rejl0cC8vTGVQYTRIbDIvaU9ya1doTHo2ZlZSa00wcjRGTXE3RFNr?= =?utf-8?Q?RO8OqQ3x0O5yg?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <B031B2A6EB9F5149A0912E2C8A645C74@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fdf32302-0d6c-4ecf-eae1-08d90b101add
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2021 13:10:04.6425 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: q7Kf4djMyJiuB5l6sZcjdQDYp0ZwQj4qeirKpntK6PtdMyirslOFcveY7MVHoit1wGe+dki6ohOPQPBA4PdEXg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4824
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.19, xbe-aln-004.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/q3BBPOviFI6TEFtLY9SrsMwIWvI>
Subject: Re: [TLS] [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 13:11:28 -0000

Martin,

The IETF Last Call on this document has completed on the 20th of April 2021 but it is never too late of course.

I just added our security Area Directors in the loop so that know your question for their ballot due for next week.

Regards

-éric



-----Original Message-----
From: dns-privacy <dns-privacy-bounces@ietf.org> on behalf of Sara Dickinson <sara@sinodun.com>
Date: Thursday, 29 April 2021 at 14:52
To: Martin Thomson <mt@lowentropy.net>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>rg>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11: (with COMMENT)



    > On 29 Apr 2021, at 01:09, Martin Thomson <mt@lowentropy.net> wrote:
    > 
    > On Wed, Apr 28, 2021, at 20:27, Sara Dickinson wrote:
    >> An early version of this specification proposed a XoT specific ALPN in 
    >> order to distinguish this from a connection intended to perform 
    >> recursive to authoritative DoT (often called ADoT). ADoT is not yet 
    >> specified, but is the subject of ongoing discussions in DPRIVE. The 
    >> working group rejected this idea for XoT and switched to the current 
    >> spec which does not use an ALPN at all. 
    > 
    > No new protocol should use TLS without ALPN.  It only opens space for cross-protocol attacks.  Did the working group consider this possibility in their discussions?

    What the working group asked for following the ALPN discussion was that the document contain a description of the options an authoritative nameserver that supports XoT can use to manage TLS connections and the queries received on those connections  - that is provided in Appendix A: https://tools.ietf.org/html/draft-ietf-dprive-xfr-over-tls-11#appendix-A

    As more context, the document also covers various existing mechanisms that can be used to manage zone transfers (including IP ACLs and TSIG) and how they combine with Strict and Mutual TLS authentication. The document specifies that the server MUST use either an IP ACL or mTLS to authenticate the XoT client. 

    Regards

    Sara. 

    _______________________________________________
    dns-privacy mailing list
    dns-privacy@ietf.org
    https://www.ietf.org/mailman/listinfo/dns-privacy