On Wed, Feb 7, 2018 at 8:21 AM, Mirja Kühlewind <i...@kuehlewind.net> wrote:
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-tls-dnssec-chain-extension-06: No Objection
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Two minor, mostly editorial comments:
>
> 1) Intro (sec 2): " It also provides the
> ability to avoid potential problems with TLS clients being unable to
> look up DANE records because of an interfering or broken middlebox on
> the path between the client and a DNS server."
> Is that actually a well-known problem (can you provide a reference?)
Some folks (at Google and NLnet Labs if I recall; maybe others) have done
measurements to show this is an actual problem -- for a relatively small but
still non-trivial fraction of clients. We'll try to see if we can dig up
specific
references to documents that could be cited.
or would
> it be enough to say something like this: " It also provides the
> ability to avoid potential problems with TLS clients being unable to
> look up DANE records when DNS server is not reachable."
>
Your rewording of this sentence would unfortunately not be accurate.
It's usually not the DNS server that is unreachable, but that some middlebox
has done something wrong, such as: not allow DANE queries or responses
through; not allow DNSSEC signatures through; not allow EDNS options
that enable DNSSEC through, or engage in other misbehavior.
> 2) IANA Considerations should probably be updated.
>
I guess you are suggesting that the last sentence is probably obsolete:
"If the draft is adopted by the WG, the authors expect to make an
early allocation request as specified in [RFC7120]."
Agreed. It's a little late for that! :-)
We will remove it.
Shumon Huque
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
