Re: [dane] namespace management, DANE Client Authentication draft updated

"John Levine" <> Wed, 13 January 2016 06:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C48221A21B2 for <>; Tue, 12 Jan 2016 22:42:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.036
X-Spam-Status: No, score=-1.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, KHOP_DYNAMIC=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UNMABJKLzWEx for <>; Tue, 12 Jan 2016 22:42:44 -0800 (PST)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8FD771A1E0F for <>; Tue, 12 Jan 2016 22:42:44 -0800 (PST)
Received: (qmail 78347 invoked from network); 13 Jan 2016 06:42:43 -0000
Received: from unknown ( by with QMQP; 13 Jan 2016 06:42:43 -0000
Date: 13 Jan 2016 06:42:21 -0000
Message-ID: <20160113064221.54965.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2016 06:42:45 -0000

>>  It has very little to do with distinct transport protocols, and
>>  everything to do with avoiding name collisions.  Nobody runs POP or
>>  IMAP over UDP, but the SRV names are still _pop3._tcp and _imap._tcp.

>with the only benefit of this separation ...

The benefit of putting the service name behind a transport name is to
put the service names in a separate namespace where they don't collide
with anything else and they're already managed by IANA.

>or we inject additional labels, making the name further removed
>from identifying a DANE application at a given DNS node:
> IN TLSA 3 1 1 ...
>because _client might be used in non-dane contexts,

No, it's, and it's because
someone might use _application in other contexts.

> and we want to distinguish TCP from UDP, 

Not really.

> ...  But what's the real benefit to all this?

You're avoiding name collisions down the road.

>James makes a plausible point about _client as a way to carve out
>a zone for clients, but because unlike SMIME/A or OPENPGPKEY the
>base domain is here typically not a zone apex, but rather a specific
>host, carving out a new zone under each host scales poorly.

Surely we don't have to review the difference between name components
and zone cuts. Nobody has proposed putting a new zone under each host