On Mon, 9 Sep 2019, Willem Toorop wrote:
The only change since the previous version (i.e.
draft-sury-toorop-dnsop-server-cookies-00) is that we no longer
recommend to include the Client IP address with constructing client cookies:
When implementing DNS Cookies, several DNS vendors found that
impractical as the Client Cookie is typically computed before the Client
IP address is known. Therefore, the requirement to put Client IP address
as input to was removed, and it simply RECOMMENDED to disable the DNS
Cookies when privacy is required. herefore, the requirement to put
Client IP address as input to was removed, and it simply RECOMMENDED to
disable the DNS Cookies when privacy is required.
Wouldn't this enable me to obtain some cookies from within a network,
and then re-use those cookies from outside the network? The reason for
including the IP was the pin the cookie to the specific client IP.
I cannot see a diff because you didn't instruct the data tracker that
this adopted document continues from the individual submission :(
I was going to look at the diff to the security section, but I guess
there is none because the document does not yet contain a security
section. But I would expect a good write up of the impact of not
including the IP address in a cookie in that section.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop