On Feb 15, 2018, at 5:34 PM, Jan Komissar (jkomissa) <jkomi...@cisco.com> wrote: > After pondering your response, my comments are inline:
Thanks! >> Also, do you think that DNS-over-TCP should be formally deprecated? If so, >> perhaps that's the right way to address this. If not, can you say why DSO >> is special and requires TLS, when DNS-over-TCP does not? > > > Is is that you want to make DSO-over-TLS MTI and DSO-over-TCP optional? > > Jan: > It would be nice if we could make steps towards more secure DNS > communications, and since DSO requires new client code, it could be a way of > moving in that direction. I’m not ready to deprecate DNS-over-TCP, there are > probably too many existing clients and servers deployed to start that > process. On the other hand, if we want to improve communications security, it > might be good to find ways that strongly encourage implementers in our space > to adopt secure protocols, and making new features secure is a way to do > that. So, it’s not that DSO is special, but It’s an opportunity to improve > DNS security. That’s why I would prefer the draft to require TLS. If the WG > disagrees, so be it. Understood. One way in which this certainly makes sense is that although DNSSEC can be used to authenticate DNS data, DSO data can't really be validated that way. And we don't have TSIG either. So it's certainly worth considering.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
