On 09-09-19 14:52, Paul Wouters wrote:
> On Mon, 9 Sep 2019, Willem Toorop wrote:
> 
>> The only change since the previous version (i.e.
>> draft-sury-toorop-dnsop-server-cookies-00) is that we no longer
>> recommend to include the Client IP address with constructing client
>> cookies:
>>
>> When implementing DNS Cookies, several DNS vendors found that
>> impractical as the Client Cookie is typically computed before the Client
>> IP address is known. Therefore, the requirement to put Client IP address
>> as input to was removed, and it simply RECOMMENDED to disable the DNS
>> Cookies when privacy is required. herefore, the requirement to put
>> Client IP address as input to was removed, and it simply RECOMMENDED to
>> disable the DNS Cookies when privacy is required.
> 
> Wouldn't this enable me to obtain some cookies from within a network,
> and then re-use those cookies from outside the network? The reason for
> including the IP was the pin the cookie to the specific client IP.

No, Client IP is still included in *Server* Cookie generation, just not
in Client Cookie construction.  So the re-user from different network
protection is still there.

> I cannot see a diff because you didn't instruct the data tracker that
> this adopted document continues from the individual submission :(

Oh, sorry.  I indicated that it replaced the previous draft (and
Donald's) that is not correct?

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to