IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Mark Andrews <Mark_Andrews@isc.org> Mon, 11 August 2008 23:51 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F34B3A6912; Mon, 11 Aug 2008 16:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.439
X-Spam-Level:
X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[AWL=0.160, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mFgD5ZTJCTHv; Mon, 11 Aug 2008 16:51:41 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 84A8B3A6E02; Mon, 11 Aug 2008 16:51:38 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSh5g-000Pp3-GZ for namedroppers-data@psg.com; Mon, 11 Aug 2008 23:46:20 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KSh5c-000Poe-O1 for namedroppers@ops.ietf.org; Mon, 11 Aug 2008 23:46:18 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m7BNk9pg063448; Tue, 12 Aug 2008 09:46:10 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808112346.m7BNk9pg063448@drugs.dv.isc.org>
To: Michael StJohns <mstjohns@comcast.net>
Cc: namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
In-reply-to: Your message of "Mon, 11 Aug 2008 16:03:27 -0400." <20080811200329.9A7A4114027@mx.isc.org>
Date: Tue, 12 Aug 2008 09:46:09 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> At 09:18 PM 8/10/2008, Mark Andrews wrote:
> 
> >> OK - but MX-records point to host names which point to A/AAAA records whic
> h
> >> point to IP addresses...
> >> If the bad guy is on the wire, he can intercept and replace your SMTP
> >> traffic anyway. 
> >> DNSSEC or not.
> >> 
> >> SRV-records also point to host names which...
> >
> >        DNS security is required for SMTP security to work. 
> 
> Absurd claim.

	Not really.  SMTP is not HTTPS where you know apriori which
	certificate to check for.  For SMTP you need to check the
	certificate of the mail exchanger and to find that securely
	you need DNSSEC to verify the MX record or its absence so
	you know when to use the implict MX record.

	Mark
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email