> On 8 Aug 2016, at 14:41, Shane Kerr <sh...@time-travellers.org> wrote: > > Hello, > > As for a requirement for TLS... the document currently says that > implementers SHOULD use TLS. My own feeling is that this should be > enough; apparently the recommendation to require TLS was made in the > HTTP/2 working group and rejected, so I am not sure that we need to > re-visit the entire discussion around the DNS over HTTP protocol. > > https://http2.github.io/faq/#does-http2-require-encryption > > Note that I do not have a strong preference here. This is a working > group document, so if there is consensus for requiring TLS then that's > how it is. > > > A final oversight that occurred to me is that there should be a privacy > section. This is because since the DNS over HTTP serves as a DNS > resolver that all of the privacy considerations of a normal DNS > resolver apply, and should be mentioned (probably referencing RFC 7626).
I agree with this because one thing that hasn’t ever been clear to me with this mechanism is what the privacy expectations of the user should be. As I read the current draft a client should treat this from a privacy perspective with the same expectation as sending queries over UDP and TCP? I don’t think there is any intention to couple this to the Usage Profiles of Strict vs Opportunistic Privacy as described for DNS-over-(D)TLS, and no intention to re-use the authentication mechanisms described in draft-ietf-dprive-dtls-and-tls-profiles in Scenario 1? And the fact that TLS may be used is a separate consideration to any desire to explicitly provide privacy for the DNS client? In some ways this feels like a missed opportunity for Scenario 1 but I appreciate wanting to limit the scope of this. My main comment is that if my understanding is correct then I think the the distinction between encryption/authentication in the HTTP layer for the purposes of 'tunnelling’ and encrypting communication to provide privacy for the DNS client should be more clearly spelled out in the proposed Privacy section. Sara.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
