Re: [dane] terminology question

Olafur Gudmundsson <> Wed, 04 December 2013 13:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C3A211AE127 for <>; Wed, 4 Dec 2013 05:47:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.493
X-Spam-Status: No, score=0.493 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, TVD_PH_BODY_ACCOUNTS_PRE=2.393] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vS4c57ajGq4c for <>; Wed, 4 Dec 2013 05:47:56 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DE2031AE11B for <>; Wed, 4 Dec 2013 05:47:55 -0800 (PST)
Received: from localhost (localhost.localdomain []) by (SMTP Server) with ESMTP id 1BFFD1B8162; Wed, 4 Dec 2013 08:47:52 -0500 (EST)
X-Virus-Scanned: OK
Received: by (Authenticated sender: with ESMTPSA id D912A1B8133; Wed, 4 Dec 2013 08:47:51 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Olafur Gudmundsson <>
In-Reply-To: <>
Date: Wed, 04 Dec 2013 08:47:50 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Peter Saint-Andre <>
X-Mailer: Apple Mail (2.1510)
Cc: " list" <>
Subject: Re: [dane] terminology question
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Dec 2013 13:47:58 -0000

On Dec 3, 2013, at 7:17 PM, Peter Saint-Andre <> wrote:

> Hash: SHA1
> In RFC 6125, Jeff Hodges and I tried hard to define some terminology
> related to certificate checking in TLS. That terminology might not be
> ideal, but I'd like to see if we can align draft-ogud-dane-vocabulary
> with the RFC 6125 terms.
> In particular, RFC 6125 uses the term "source domain" to refer to the
> fully qualified domain name that a TLS client expects to find in the
> certificate (or, in DANE, potentially the key) that is presented by
> the TLS server. RFC 6125 also uses the term "derived domain" to refer
> to a domain name (or host name) that the client has derived from the
> source domain in an automated fashion (e.g., via a DNS SRV record).
> As far as I can determine, draft-ogud-dane-vocabulary uses the terms
> "Query [Name]" and "Final [Name]" for something like "source domain"
> and "derived domain". However, draft-ogud-dane-vocabulary also uses
> the terms "Service Specification Records" and "Service Address
> Records" in a way that might be similar, although I confess that I
> don't really grok draft-ogud-dane-vocabulary in fullness and the
> latter two terms are unclear to me.


Thanks asking this question, 

You made me read RFC6125 and to my horror the vocabulary there is attempting
similar things as I'm doing in my draft, but in section 1.8 I realized that you might have taken a 
shortcut that leads to a incomplete specification i.e. you are not taking into account the effects of
CNAME and DNAME records on the resolution, in particular DNAME requires careful rules 
as to the names used to present to the servers.  (my guess is this is where the "i don't really grok" 
comment comes from)  (I think NAPTR has similar effects). 

"Source domain" definition  is a good example of this. In -vocabulary- draft 
the application issues query for "query name" where it is expecting to find the "Service Specification Records". 
but DNAME/NAPTER/CNAME  rules may rewrite the name sent to application server to the "resulting name" from the query 
thus the term "Offered Name". 

For HTTP Service Specification Records == Service Address records i.e. address record is the service specification, 
but Jabber  uses SRV records for the Service Specification Records 
and the Service Address Records are associated with the servers listed in the SRV RRset. 

To a large extent I think the differences we see are due to the different approaches, i.e. you are attempting to word rules for existing applications.

I'm defining rules that are general and ignore the names existing applications have used an concentrate on concepts that then can be used
by application specifications.  
I wanted to create definitions that allow minimal DNS related text inside a DANE application specification 
(not sure I'm there yet). 

> Naming is hard, and I hope we can get it right.

Naming of concepts is hard, definitions are hard, 
understanding the nuances of interaction of multiple protocols is even harder :-) 


> Peter
> - -- 
> Peter Saint-Andre
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools -
> Comment: Using GnuPG with Thunderbird -
> iQIcBAEBAgAGBQJSnnSIAAoJEOoGpJErxa2pIPcP/3ynoIh5Xn1oBXMtf1Tj4yyZ
> sJc2kEoA1r49CLCz3TsqHaQonB/lK6tZP0WGYoNobj/C6Vd9U8RQW2TElWM7fVo1
> ltZmBA0Tx6KHv/XQmnNsrKVbiueqMui5tWvyHDE/x/Wt18lJPM1n4LdY+xkR4O62
> en7PCNTLNxAjkpjPKrEqbp0YYiI67rsnKxNOEJkjry3l+j9FOYlPyBtHAyRZISgV
> ZOGzz61RYDSid186uBQGizahaAabRvIwayQ8ZZTr7C+JYW//CckRRrC04R12h9K+
> qNfnzSzf11x01VMfEK2V7muD2uqi28LBXsC/vY2E/r6FRxAp7BS1OZccFK224NnK
> xI+ETnMsl/ZaWIOKhyJk44bWODWr6ij1Gxen3UoEIsU90akFmzCuCEdbdgf0lATr
> wX71rVUi5O/ytHQZ/YfhOtc2j7qbrnfSc7KZcgr7X7IkhexP3/nVKtuziqdrbL4U
> i7pVh5xlgyTszEyowyKWIjr0+J98Llbdz0Xs1hTOTwEONW4cx7TsUd05cwdmoc4G
> KLabfuUTYKp4NslfIV4smBIl2uzrYUaz0ACjLQSrzk4dNGZAj0L6IlyS92g211Pl
> WEIrV0m+zIhv6K1ffWiS
> =VUnT
> _______________________________________________
> dane mailing list