Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
Alex Bligh <alex@alex.org.uk> Thu, 03 March 2011 21:29 UTC
Return-Path: <alex@alex.org.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE6983A6A20 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 13:29:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.464
X-Spam-Level:
X-Spam-Status: No, score=-2.464 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-4++-bWjrQx for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 13:29:37 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by core3.amsl.com (Postfix) with ESMTP id E6C1D3A6893 for <dnsext@ietf.org>; Thu, 3 Mar 2011 13:29:36 -0800 (PST)
Received: from [192.168.100.89] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id 9F82AC566C4; Thu, 3 Mar 2011 21:30:41 +0000 (GMT)
Date: Thu, 03 Mar 2011 21:31:23 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Tony Finch <dot@dotat.at>, Mark Andrews <marka@isc.org>
Message-ID: <618355BCA39C2F7544D51832@nimrod.local>
In-Reply-To: <alpine.LSU.2.00.1103031923050.14985@hermes-1.csi.cam.ac.uk>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <4D6C3FD3.7010801@ucd.ie> <302DAD77E927757D3DEA05DF@nimrod.local> <alpine.LSU.2.00.1103031107460.14985@hermes-1.csi.cam.ac.uk> <20110303114148.A360FB98E2E@drugs.dv.isc.org> <alpine.LSU.2.00.1103031148130.14985@hermes-1.csi.cam.ac.uk> <20110303133541.C19B6B9E307@drugs.dv.isc.org> <alpine.LSU.2.00.1103031337570.14985@hermes-1.csi.cam.ac.uk> <20110303144600.11178B9E772@drugs.dv.isc.org> <alpine.LSU.2.00.1103031923050.14985@hermes-1.csi.cam.ac.uk>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: Niall O'Reilly <Niall.oReilly@ucd.ie>, dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 21:29:38 -0000
--On 3 March 2011 19:39:26 +0000 Tony Finch <dot@dotat.at> wrote: > TLS doesn't try to validate the DNS responses, it verifies that you have > successfully connected to a server that can act for the domain you wanted > to reach. What does "can act for" mean? Any smarthost "can act for" (in the sense of can deliver mail to" any given domain, but it may require information for the server to determine whether it "can act" at the time of TLS (e.g. it might require authentication). I had thought the purpose of SMTP on TLS was to verify that the server was the server it claimed to be in the HELO line. Whether the sending server uses that as a decision point as to whether to send email on it is pretty much up to the sending server. >From RFC3207 > The decision of whether or not to believe the authenticity of the > other party in a TLS negotiation is a local matter. However, some > general rules for the decisions are: > > - A SMTP client would probably only want to authenticate an SMTP > server whose server certificate has a domain name that is the > domain name that the client thought it was connecting to. > - A publicly-referenced SMTP server would probably want to accept > any verifiable certificate from an SMTP client, and would possibly > want to put distinguishing information about the certificate in > the Received header of messages that were relayed or submitted > from the client. This is a similar degree of usefulness/uselessness to HTTP certs, which in the vast majority of cases (DN validated) simply tell you that the server you are visiting has a certificate purchased by someone who could receive mail at that domain or administer the zone. And before we get on our high horses about the usefulness or otherwise of other cert systems, that's not too much different from DNSSEC. -- Alex Bligh
- [dnsext] I-D Action:draft-ietf-dnsext-aliasing-re… Internet-Drafts
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Suzanne Woolf
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Ted Hardie
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton
- Re: [dnsext] I-DAction:draft-ietf-dnsext-aliasing… George Barwood
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… John Levine
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Patrik Fältström
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Paul Hoffman
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Dan Schlitt
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Paul Vixie
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- [dnsext] How to bring discussion to a close (was:… Andrew Sullivan
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Phillip Hallam-Baker
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Phillip Hallam-Baker
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Masataka Ohta
- [dnsext] errata on RFC1034 for recursive aliasing… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] errata on RFC1034 for recursive alia… Andrew Sullivan
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Andrew Sullivan
- Re: [dnsext] errata on RFC1034 for recursive alia… Paul Vixie
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Brian Dickson
- Re: [dnsext] errata on RFC1034 for recursive alia… John Levine
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- [dnsext] pricing for equivalent localized domain … Masataka Ohta
- Re: [dnsext] pricing for equivalent localized dom… John Levine
- Re: [dnsext] errata on RFC1034 for recursive alia… Brian Dickson
- Re: [dnsext] pricing for equivalent localized dom… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Brian Dickson
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton