"Wessels, Duane" <[email protected]> writes: > The former draft described two approaches to establishing a > DNS-over-TLS session: upgrade-based (aka STARTTLS for DNS) and > port-based. In this new version we have removed the upgrade-based > approach and describe only the use of a well-known port.
Yay, thank you! I believe the abstract or introduction section should mention that TLS gives you data integrity services, which protects against on-path tampering. Right now the document talks about encryption to protect against eavesdropping. However, the RFC 7258 pervasive monitoring attack includes active attacks and thus I believe talking about integrity is useful to set the context right. One comment/thought around the /etc/service name 'domain-s'. I find it undescriptive and difficult to type. How about 'dnsovertls' or something more descriptive? /Simon
signature.asc
Description: PGP signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
