New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IETF-106 Discussion Topics #20
Comments
6 - Are there any gaps in section 4, Threat Model and Problem Statement? |
On Q 1 - See https://datatracker.ietf.org/meeting/104/materials/slides-104-dprive-dot-for-insecure-delegations-01.pdf - especially the grid in slide 11 (last slide). From https://tools.ietf.org/html/draft-bretelle-dprive-dot-for-insecure-delegations-00 On signaling - See https://tools.ietf.org/html/draft-levine-dprive-signal-01 |
Raw notes from 106: threat model -
DoT always required?
Trust anchor/authority: Should this depend only on the DNS, such as DANE, or also on Certification Authorities?
Downgrade Prevention & Preferences: Should the user (e.g. stub, app, resolver) be able to say only ever use DoT and never downgrade? Or should the authoritative domain be the only one? Or should both be permitted and let the app/stub decide what to do based on that info?
Discovery: What requirements do we have for a recursive to determine availability of encryption on an authoritative server? (e.g. loose coupling vs. whitelists are okay)
high level
|
Potential topics authors wish to raise for discussion at IETF-106:
1 - WebPKI (CA) or DANE (TLSA)? Or both options?
2 - Allow fallback to Do53 or not? Or allow the domain owner to signal or user/client to signal whether fallback can occur?
3 - Is support for ADoT on a per nameserver basis or a per domain basis (so some domains on a NS may support while others may not)?
4 - Are the certificates based on NS IP address or name?
5 - DNSSEC support - MUST, SHOULD, or not mentioned?
The text was updated successfully, but these errors were encountered: