| rfc9704v10.txt | rfc9704.txt | |||
|---|---|---|---|---|
| skipping to change at line 614 ¶ | skipping to change at line 614 ¶ | |||
| external resolver to issue TXT queries for the Verification | external resolver to issue TXT queries for the Verification | |||
| Records. The TXT lookup returns a token that matches the claim. | Records. The TXT lookup returns a token that matches the claim. | |||
| *Step 3*: The client has validated that example.com has authorized | *Step 3*: The client has validated that example.com has authorized | |||
| dns.example.net to serve example.com. When the client connects | dns.example.net to serve example.com. When the client connects | |||
| using an encrypted transport as indicated in DNR [RFC9463], it | using an encrypted transport as indicated in DNR [RFC9463], it | |||
| will authenticate the server to its name using TLS (Section 8 of | will authenticate the server to its name using TLS (Section 8 of | |||
| [RFC8310]) and send queries to resolve any names that fall within | [RFC8310]) and send queries to resolve any names that fall within | |||
| the claimed zones. | the claimed zones. | |||
| NOTE: '\' line wrapping per RFC 8792 | ||||
| +---------+ +--------------------+ +----------+ | +---------+ +--------------------+ +----------+ | |||
| | Client | | Network's | | External | | | Client | | Network's | | External | | |||
| | | | Encrypted Resolver | | Resolver | | | | | Encrypted Resolver | | Resolver | | |||
| +---------+ +--------------------+ +----------+ | +---------+ +--------------------+ +----------+ | |||
| | | | | | | | | |||
| | TLS connection | | | | TLS connection | | | |||
| |--------------------------------------------------->| | |--------------------------------------------------->| | |||
| | ---------------------------\ | | | | ---------------------------\ | | | |||
| |-| validate TLS certificate | | | | |-| validate TLS certificate | | | | |||
| | |--------------------------| | | | | |--------------------------| | | | |||
| skipping to change at line 664 ¶ | skipping to change at line 662 ¶ | |||
| the expected token. The client then performs full DNSSEC | the expected token. The client then performs full DNSSEC | |||
| validation locally. | validation locally. | |||
| *Step 3*: If the DNSSEC validation is successful and the token | *Step 3*: If the DNSSEC validation is successful and the token | |||
| matches, then this authorization claim is validated. Once the | matches, then this authorization claim is validated. Once the | |||
| client connects using an encrypted transport as indicated in DNR | client connects using an encrypted transport as indicated in DNR | |||
| [RFC9463], it will authenticate the server to its name using TLS | [RFC9463], it will authenticate the server to its name using TLS | |||
| (Section 8 of [RFC8310]) and send queries to resolve any names | (Section 8 of [RFC8310]) and send queries to resolve any names | |||
| that fall within the claimed zones. | that fall within the claimed zones. | |||
| NOTE: '\' line wrapping per RFC 8792 | ||||
| +---------+ +--------------------+ | +---------+ +--------------------+ | |||
| | Client | | Network's | | | Client | | Network's | | |||
| | | | Encrypted Resolver | | | | | Encrypted Resolver | | |||
| +---------+ +--------------------+ | +---------+ +--------------------+ | |||
| | | | | | | |||
| | DNSSEC OK (DO), TXT? dns.example.net.\ | | | DNSSEC OK (DO), TXT? dns.example.net.\ | | |||
| | _splitdns-challenge.example.com (1) | | | _splitdns-challenge.example.com (1) | | |||
| |-------------------------------------------------------------->| | |-------------------------------------------------------------->| | |||
| | | | | | | |||
| | TXT token=DEF..., Signed Answer (RRSIG) (2) | | | TXT token=DEF..., Signed Answer (RRSIG) (2) | | |||
| End of changes. 2 change blocks. | ||||
| 4 lines changed or deleted | 0 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||