Proposed text looks good to me. -Tiru
> -----Original Message----- > From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Sara > Dickinson > Sent: Tuesday, November 14, 2017 4:34 PM > To: dns-privacy@ietf.org > Subject: Re: [dns-privacy] review of > draft-ietf-dprive-dtls-and-tls-profiles-11: > we should revert DNSSEC validation requirement > > Hi All, > > This draft is now ready to progress once a -12 version is available. I just > want > to circle back round to summarise the fact that the only proposed difference > that will be in the -12 version compared to -11 is the following (in section > 7.2. > Direct configuration of ADN only): > > Current text: > > “It can then use Opportunistic DNS connections to an untrusted recursive > DNS resolver to establish the IP address of the intended privacy- > enabling DNS resolver by doing a lookup of A/AAAA records. Such > records SHOULD be DNSSEC validated when using a Strict Usage profile > and MUST be validated when using Opportunistic Privacy." > > New text: > “It can then use Opportunistic DNS connections to an untrusted recursive > DNS resolver to establish the IP address of the intended privacy- > enabling DNS resolver by doing a lookup of A/AAAA records. A > DNSSEC validating client SHOULD apply the same validation policy > to the A/AAAA meta-query lookups as it does to other queries. > A client that does not validate DNSSEC SHOULD apply the same policy (if any) > to the A/AAAA meta-query lookups as it does to other queries." > > I hope I captured the consensus correctly? Please let me know as I intend to > put out the -12 (final) version next Monday (20th). > > Sara. > > > On 31 Oct 2017, at 16:12, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > > > On 31 Oct 2017, at 8:06, Sara Dickinson wrote: > > > >> So maybe “A DNSSEC validating client SHOULD apply the same validation > policy to the A/AAAA meta-query lookup as it does to other queries.”? > > > > That could be misinterpreted to indicate that there has to be some positive > validation policy. How about: > > A DNSSEC validating client SHOULD apply the same validation policy > > to the A/AAAA meta-query lookup as it does to other queries. > > A client that does not validate DNSSEC SHOULD apply any policy it > > has to the A/AAAA meta-query lookup. > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy