Hi Paul, Thanks for the follow-up. The reason we mentioned both RFC7858 and RFC9103 is that the communication between the Homenet Naming Authority (HNA) and the Distribution Manager (DM) involves two different channels. The Control Channel that aims at configuring/managing the Synchronization Channel (i.e. the primary/secondary). The Control Channel uses DNS over TLS RFC7858 while the Synchronization Channel uses DNS Zone transfer over TLS 9103. The two channels always go in pairs. As both are using DNS over TLS we use the mnemonic 'DoT' for the Selected Transport. From what you are saying, it might be clearer to just mention 'TLS' for the Selected Transport as DoT might be really tightened to 7858. If you think this is clearer, I am happy to do so as well as with any name that you think is clearer.
Yours, Daniel On Mon, Oct 24, 2022 at 7:20 PM Paul Wouters <paul.wout...@aiven.io> wrote: > > > On Sun, Oct 23, 2022 at 10:45 PM Daniel Migault <mglt.i...@gmail.com> > wrote: > >> While TLS gives you privacy, >> >>> the DNS Update cannot be done with only TLS (as far as I understand it). >>>> >>>> please develop, but just in case, we do not use dns update to >>>> synchronize the zone. we use AFXR/IXRF over TLS define din XoT. >>>> >>> > This to me was not clear and a missed reference by me. While you name > RFC9103, the text states: > > DNS over TLS: indicates the support of DNS over TLS as described in > [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 > <https://datatracker.ietf.org/doc/html/rfc9103>]. > > I should have looked more closely at the references, and I would have > realized 9103 is about DNS XFR over TLS. That document indeed explains > that XoT uses mutually authenticated TLS which provides the authentication > for the XFR streams. > > My suggestion: > > Current: > > DNS over TLS: indicates the support of DNS over TLS as described in > [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 > <https://datatracker.ietf.org/doc/html/rfc9103>]. > > New: > > DNS Zone Transfer over TLS: indicates the support of DNS Zone Transfer > over TLS as described in [RFC9103] > > > The reference to RFC7858 is misleading - it only deals with stub to > recursive. > > If you think stub to recursive is in scope, it might be better to use two > DHCP options as these two things > seem to be very separate protocols (that just both happen to use DNS and > TLS) > > > > >> >>> So you are going against the RFC 5936 SHOULD. >>> >>> I even had to look this up because I didn't know you could do an AXFR as >>> a secondary >>> from a primary without DNS level authentication. Apparently you can, but >>> you SHOULD not. >>> >>> That is what we do. TLS provides enough security to replace TSIG / >> SIG(0). >> > > > Reading 9103 made that clear to me now, but the text in the document did > not. Perhaps that can be stated more clearly ? > > Paul > -- Daniel Migault Ericsson
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
