Was there a problem with my suggested CURRENT / NEW suggestion ? Sent using a virtual keyboard on a phone
> On Oct 28, 2022, at 15:14, Daniel Migault <mglt.i...@gmail.com> wrote: > > > Hi Paul, > > I am wondering if there are any remaining concerns left for the > draft-ietf-homenet-naming-architecture-dhc-options document and anything you > would like us to address to lift your discuss. > > Yours, > Daniel > >> On Mon, Oct 24, 2022 at 8:49 PM Daniel Migault <mglt.i...@gmail.com> wrote: >> Hi Paul, >> >> Thanks for the follow-up. The reason we mentioned both RFC7858 and RFC9103 >> is that the communication between the Homenet Naming Authority (HNA) and the >> Distribution Manager (DM) involves two different channels. The Control >> Channel that aims at configuring/managing the Synchronization Channel (i.e. >> the primary/secondary). The Control Channel uses DNS over TLS RFC7858 while >> the Synchronization Channel uses DNS Zone transfer over TLS 9103. The two >> channels always go in pairs. As both are using DNS over TLS we use the >> mnemonic 'DoT' for the Selected Transport. From what you are saying, it >> might be clearer to just mention 'TLS' for the Selected Transport as DoT >> might be really tightened to 7858. If you think this is clearer, I am happy >> to do so as well as with any name that you think is clearer. >> >> Yours, >> Daniel >> >>> On Mon, Oct 24, 2022 at 7:20 PM Paul Wouters <paul.wout...@aiven.io> wrote: >>>> >>>> >>>>> On Sun, Oct 23, 2022 at 10:45 PM Daniel Migault <mglt.i...@gmail.com> >>>>> wrote: >>>>> While TLS gives you privacy, >>>>>>>> the DNS Update cannot be done with only TLS (as far as I understand >>>>>>>> it). >>>>>>> please develop, but just in case, we do not use dns update to >>>>>>> synchronize the zone. we use AFXR/IXRF over TLS define din XoT. >>>> >>>> This to me was not clear and a missed reference by me. While you name >>>> RFC9103, the text states: >>>> >>>> DNS over TLS: indicates the support of DNS over TLS as described in >>>> [RFC7858] and [RFC9103]. >>>> >>>> I should have looked more closely at the references, and I would have >>>> realized 9103 is about DNS XFR over TLS. That document indeed explains >>>> that XoT uses mutually authenticated TLS which provides the authentication >>>> for the XFR streams. >>>> >>>> My suggestion: >>>> >>>> Current: >>>> DNS over TLS: indicates the support of DNS over TLS as described in >>>> [RFC7858] and [RFC9103]. >>>> >>>> New: >>>> >>>> DNS Zone Transfer over TLS: indicates the support of DNS Zone Transfer >>>> over TLS as described in [RFC9103] >>>> >>> >>> The reference to RFC7858 is misleading - it only deals with stub to >>> recursive. >>> >>> If you think stub to recursive is in scope, it might be better to use two >>> DHCP options as these two things >>> seem to be very separate protocols (that just both happen to use DNS and >>> TLS) >>> >>> >>> >>>>> >>>>> So you are going against the RFC 5936 SHOULD. >>>>> >>>>> I even had to look this up because I didn't know you could do an AXFR as >>>>> a secondary >>>>> from a primary without DNS level authentication. Apparently you can, but >>>>> you SHOULD not. >>>>> >>>> That is what we do. TLS provides enough security to replace TSIG / SIG(0). >>> >>> >>> Reading 9103 made that clear to me now, but the text in the document did >>> not. Perhaps that can be stated more clearly ? >>> >>> Paul >> >> >> -- >> Daniel Migault >> Ericsson > > > -- > Daniel Migault > Ericsson
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
