IETF Logo Mail Archive

Re: [certid] DNSSEC-based name canonicalization

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 17 September 2010 07:52 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CAF0E3A6A4E for <certid@core3.amsl.com>; Fri, 17 Sep 2010 00:52:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.421
X-Spam-Level:
X-Spam-Status: No, score=-3.421 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUQMFOzticHa for <certid@core3.amsl.com>; Fri, 17 Sep 2010 00:52:16 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 6FE823A6AAF for <certid@ietf.org>; Fri, 17 Sep 2010 00:52:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1284709962; x=1316245962; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20mrex@sap.com|Subject:=20Re:=20[certid]=20DNSSEC-ba sed=20name=20canonicalization|Cc:=20certid@ietf.org |In-Reply-To:=20<201009170521.o8H5LxdZ003712@fs4113.wdf.s ap.corp>|Message-Id:=20<E1OwVkN-00022p-Ct@wintermute02.cs .auckland.ac.nz>|Date:=20Fri,=2017=20Sep=202010=2019:52:3 9=20+1200; bh=CwtKvY8APZTGt7pKKXkl9IwvcqzaNThRBJcl6AhRR5w=; b=J2I24rXvrlKmX3pyHsExFf2CiICKDMWEMw5cBr43b7K30/K1+tJrlOep AgtrNRs+OIAfpWFzc9EjyJjdve6GLwfySq+0rLWAXGToI5ylGrxxu0Pnh 2UD6DpNZoAWQSdaSdp/DQ/MnWJsKeRO7/01FQExxgFAsMpHO+wh/Mp0xW E=;
X-IronPort-AV: E=Sophos;i="4.56,381,1280664000"; d="scan'208";a="27018437"
X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE
X-Ironport-Source: 130.216.207.92 - Outgoing - Outgoing
Received: from wintermute02.cs.auckland.ac.nz ([130.216.207.92]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 17 Sep 2010 19:52:39 +1200
Received: from pgut001 by wintermute02.cs.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1OwVkN-00022p-Ct; Fri, 17 Sep 2010 19:52:39 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: mrex@sap.com
In-Reply-To: <201009170521.o8H5LxdZ003712@fs4113.wdf.sap.corp>
Message-Id: <E1OwVkN-00022p-Ct@wintermute02.cs.auckland.ac.nz>
Date: Fri, 17 Sep 2010 19:52:39 +1200
Cc: certid@ietf.org
Subject: Re: [certid] DNSSEC-based name canonicalization
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 07:52:20 -0000

Martin Rex <mrex@sap.com> writes:

>Are there already workable procedures and APIs for software to distinguish
>"normal" DNSSEC lookup results from "trustworthy" DNSSEC lookup results with
>some level of portability?

If you mean "is there a way to say 'I don't care about authentication, just
gimme an address, dammit'", i.e. a getaddrinfo_unauthenticated(), then no,
this was explicitly excluded from the DNSSEC work with a let-them-eat-cake
argument that if anyone cared about this then they could just hack around at
the res_query() level themselves.  Note that this is just for basic DNS vs.
DNSSEC lookups, given that you can't even do that I doubt there's any way to
do vanilla DNSSEC vs. EV-cert-equivalent DNSSEC.

Peter.

v2.8.7 | Report a Bug | By Email