| rfc9704v8.txt | rfc9704.txt | |||
|---|---|---|---|---|
| skipping to change at line 414 ¶ | skipping to change at line 414 ¶ | |||
| is considered tamperproof because any actor who could modify the | is considered tamperproof because any actor who could modify the | |||
| response could already modify all of the user's other DNS responses. | response could already modify all of the user's other DNS responses. | |||
| If the client cannot obtain a response from the external resolver | If the client cannot obtain a response from the external resolver | |||
| within a reasonable timeframe, it MUST consider the verification | within a reasonable timeframe, it MUST consider the verification | |||
| process to have failed. | process to have failed. | |||
| To ensure that this assumption holds, clients MUST NOT relax the | To ensure that this assumption holds, clients MUST NOT relax the | |||
| acceptance rules they would otherwise apply when using this resolver. | acceptance rules they would otherwise apply when using this resolver. | |||
| For example, if the client would check the Authenticated Data (AD) | For example, if the client would check the Authenticated Data (AD) | |||
| bit or validate RRSIGs locally when using this resolver, it must also | bit or validate RRSIGs locally when using this resolver, it must also | |||
| do so when resolving TXT records for this purpose. A compliant | do so when resolving TXT records for this purpose. The client MAY | |||
| client MAY perform DNSSEC validation for the verification query even | perform DNSSEC validation for the verification query even if it has | |||
| if it has disabled DNSSEC validation for other DNS queries. | disabled DNSSEC validation for other DNS queries. | |||
| 6.2. Using DNSSEC | 6.2. Using DNSSEC | |||
| The client resolves the Verification Record using any resolution | The client resolves the Verification Record using any resolution | |||
| method of its choice (e.g., querying one of the network-provided | method of its choice (e.g., querying one of the network-provided | |||
| resolvers, performing iterative resolution locally) and performs full | resolvers, performing iterative resolution locally) and performs full | |||
| DNSSEC validation locally [RFC6698]. The result is processed based | DNSSEC validation locally [RFC6698]. The result is processed based | |||
| on its DNSSEC validation state (Section 4.3 of [RFC4035]): | on its DNSSEC validation state (Section 4.3 of [RFC4035]): | |||
| *Secure*: The response is used for validation. | *Secure*: The response is used for validation. | |||
| skipping to change at line 528 ¶ | skipping to change at line 528 ¶ | |||
| different version of its global domain on its internal network. | different version of its global domain on its internal network. | |||
| First, the host and network both need to support one of the discovery | First, the host and network both need to support one of the discovery | |||
| mechanisms described in Section 5. Figure 2 shows discovery using | mechanisms described in Section 5. Figure 2 shows discovery using | |||
| information from the DNR and the PvD. | information from the DNR and the PvD. | |||
| Validation is then performed using either an external resolver | Validation is then performed using either an external resolver | |||
| (Section 8.1) or DNSSEC (Section 8.2). | (Section 8.1) or DNSSEC (Section 8.2). | |||
| *Steps 1-2*: The client determines the network's DNS server | *Steps 1-2*: The client determines the network's DNS server | |||
| (dns.example.net) and PvD ID (pvd.example.com) using DNR and PvD, | (dns.example.net) and PvD ID (pvd.example.com) using DNR and a | |||
| along with one of the following: DNR Router Solicitation, DHCPv4, | PvD, along with one of the following: DNR Router Solicitation, | |||
| or DHCPv6. | DHCPv4, or DHCPv6. | |||
| *Steps 3-5*: The client connects to dns.example.net using an | *Steps 3-5*: The client connects to dns.example.net using an | |||
| encrypted transport as indicated in DNR [RFC9463], authenticating | encrypted transport as indicated in DNR [RFC9463], authenticating | |||
| the server to its name using TLS (Section 8 of [RFC8310]), and | the server to its name using TLS (Section 8 of [RFC8310]), and | |||
| sends it a query for the address of pvd.example.com. | sends it a query for the address of pvd.example.com. | |||
| *Steps 6-7*: The client connects to the PvD server, validates its | *Steps 6-7*: The client connects to the PvD server, validates its | |||
| certificate, and retrieves the PvD Additional Information | certificate, and retrieves the PvD Additional Information | |||
| indicated by the associated PvD. The JSON object contains: | indicated by the associated PvD. The JSON object contains: | |||
| End of changes. 2 change blocks. | ||||
| 6 lines changed or deleted | 6 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||