OK, done: https://github.com/tlswg/draft-ietf-tls-svcb-ech/pull/16 ________________________________ From: Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> Sent: Monday, September 30, 2024 1:29 PM To: Ben Schwartz <bem...@meta.com>; Eric Rescorla <e...@rtfm.com>; Paul Wouters <paul.wout...@aiven.io> Cc: draft-ietf-tls-svcb-ech.auth...@ietf.org <draft-ietf-tls-svcb-ech.auth...@ietf.org>; <tls@ietf.org> <tls@ietf.org>; dn...@ietf.org WG <dn...@ietf.org> Subject: Re: [TLS] Re: [DNSOP] AD review draft-ietf-tls-svcb-ech
We could add a recommendation like "Clients using ECH SHOULD select a DNS resolver that they trust to preserve the confidentiality of their queries and return authentic answers, and communicate using an authenticated and confidential transport", We could add a recommendation like "Clients using ECH SHOULD select a DNS resolver that they trust to preserve the confidentiality of their queries and return authentic answers, and communicate using an authenticated and confidential transport", but this draft seems like an odd place for that text. When DNS SVCB has an ech entry, DNS is being used a little differently than your conventional DNS for ipaddress, since you can use TLS to authenticate what DNS told. For ECH you cannot. In other words, I think recommendation, or warning in security considerations, is exactly right for this document.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
