> On 29 Apr 2021, at 01:09, Martin Thomson <m...@lowentropy.net> wrote:
>
> On Wed, Apr 28, 2021, at 20:27, Sara Dickinson wrote:
>> An early version of this specification proposed a XoT specific ALPN in
>> order to distinguish this from a connection intended to perform
>> recursive to authoritative DoT (often called ADoT). ADoT is not yet
>> specified, but is the subject of ongoing discussions in DPRIVE. The
>> working group rejected this idea for XoT and switched to the current
>> spec which does not use an ALPN at all.
>
> No new protocol should use TLS without ALPN. It only opens space for
> cross-protocol attacks. Did the working group consider this possibility in
> their discussions?
What the working group asked for following the ALPN discussion was that the
document contain a description of the options an authoritative nameserver that
supports XoT can use to manage TLS connections and the queries received on
those connections - that is provided in Appendix A:
https://tools.ietf.org/html/draft-ietf-dprive-xfr-over-tls-11#appendix-A
As more context, the document also covers various existing mechanisms that can
be used to manage zone transfers (including IP ACLs and TSIG) and how they
combine with Strict and Mutual TLS authentication. The document specifies that
the server MUST use either an IP ACL or mTLS to authenticate the XoT client.
Regards
Sara.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
