Re: [dane] An AD bit discussion

Andrew Sullivan <> Thu, 27 February 2014 04:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 09BA11A0726 for <>; Wed, 26 Feb 2014 20:23:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.758
X-Spam-Level: *
X-Spam-Status: No, score=1.758 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OaKU1Fj1KFPV for <>; Wed, 26 Feb 2014 20:23:44 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D25C21A0246 for <>; Wed, 26 Feb 2014 20:23:44 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id D5B148A031 for <>; Thu, 27 Feb 2014 04:23:42 +0000 (UTC)
Date: Wed, 26 Feb 2014 23:23:35 -0500
From: Andrew Sullivan <>
Message-ID: <>
References: <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] An AD bit discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Feb 2014 04:23:46 -0000

On Thu, Feb 27, 2014 at 03:17:53PM +1100, Mark Andrews wrote:
> I walk into a coffee shop.  I get a address.  I manage to get IPsec
> running between the server and myself because both ends are configured
> for opportunistic IPsec. 

What does that have to do with the deployment scenario I was asking
about in the Microsoft case, or the one I understood Paul to be asking
about?  Those cases are entirely to do with managed infrastructure,
and the question is, _if_ you have that kind of managed infrastructure
scenario and _if_ you accept that someone could subvert your
management model (but you don't care because if they can do that then
you're screwed anyway), then is there any value in the AD bit?  I
think the answer is, "Maybe," but we're never going to sort that out
if people persist with arguments about scenarios that have nothing to
do with the one under discussion.

Yes, you should not trust the AD bit from random parts of the Internet
or opportunistic IPsec or whatever.  But that's not the case we're
talking about, I think.


Andrew Sullivan