On 09-09-19 14:52, Paul Wouters wrote: > On Mon, 9 Sep 2019, Willem Toorop wrote: > >> The only change since the previous version (i.e. >> draft-sury-toorop-dnsop-server-cookies-00) is that we no longer >> recommend to include the Client IP address with constructing client >> cookies: >> >> When implementing DNS Cookies, several DNS vendors found that >> impractical as the Client Cookie is typically computed before the Client >> IP address is known. Therefore, the requirement to put Client IP address >> as input to was removed, and it simply RECOMMENDED to disable the DNS >> Cookies when privacy is required. herefore, the requirement to put >> Client IP address as input to was removed, and it simply RECOMMENDED to >> disable the DNS Cookies when privacy is required. > > Wouldn't this enable me to obtain some cookies from within a network, > and then re-use those cookies from outside the network? The reason for > including the IP was the pin the cookie to the specific client IP.
No, Client IP is still included in *Server* Cookie generation, just not in Client Cookie construction. So the re-user from different network protection is still there. > I cannot see a diff because you didn't instruct the data tracker that > this adopted document continues from the individual submission :( Oh, sorry. I indicated that it replaced the previous draft (and Donald's) that is not correct? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop