On Mon, Sep 30, 2024 at 3:12 PM Ben Schwartz <bem...@meta.com> wrote:
> OK, done: https://github.com/tlswg/draft-ietf-tls-svcb-ech/pull/16 > Looks good other than some minor suggestions I made. Thanks for correctly pointing out that DNSSEC doesn't help you when you are dealing with privacy and untrusted DNS servers. As for the RFC1034 reference, Warren suggested to maybe use: "DNS (see RFC1034, BCP219)" (where BCP219 is the latest DNS Terminology doc). Paul ------------------------------ > *From:* Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> > *Sent:* Monday, September 30, 2024 1:29 PM > *To:* Ben Schwartz <bem...@meta.com>; Eric Rescorla <e...@rtfm.com>; Paul > Wouters <paul.wout...@aiven.io> > *Cc:* draft-ietf-tls-svcb-ech.auth...@ietf.org < > draft-ietf-tls-svcb-ech.auth...@ietf.org>; <t...@ietf.org> <t...@ietf.org>; > dnsop@ietf.org WG <dnsop@ietf.org> > *Subject:* Re: [TLS] Re: [DNSOP] AD review draft-ietf-tls-svcb-ech > > We could add a recommendation like "Clients using ECH SHOULD select a DNS > resolver that they trust to preserve the confidentiality of their queries > and return authentic answers, and communicate using an authenticated and > confidential transport", > > We could add a recommendation like "Clients using ECH SHOULD select a DNS > resolver that they trust to preserve the confidentiality of their queries > and return authentic answers, and communicate using an authenticated and > confidential transport", but this draft seems like an odd place for that > text. > > > > When DNS SVCB has an ech entry, DNS is being used a little differently > than your conventional DNS for ipaddress, since you can use TLS to > authenticate what DNS told. For ECH you cannot. In other words, I think > recommendation, or warning in security considerations, is exactly right for > this document. >
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
