On Mon, 8 Nov 2021, Tero Kivinen wrote:
Subject: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike
This is the start of 2 week WG adoption call for this document, ending
2021-11-22. Please send your reply about whether you support adopting
this document as WG document or not.
I support the idea of conveying a list of DNS servers that support
encryption. I am not sure if this draft's format and content is the
right way forward.
Note the text of the draft claims it updates RFC 8598 but doesn't do so
via an Updates: statement. Also, I think the relaxing of the requirement
is actually wrong, as it might cause lack of interop between newer
servers and older clients not being able to negotiate working DNS if
the new servers no longer serve INTERNAL_IP*_DNS CFG payloads.
I am also not clear on the real use of negotiating hash algorithms for
the digest receiving of the ADD server "identity?", as the document
states the authentication happens as per Section 8 of [RFC8310]
which lists WebPKI or DANE authentication against the name and these
methods do not use this digest. I also do not understand the use of the
digest. For authentication, is it not needed as the entire IKEv2 exchange
is authenticated.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
