IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Mark Andrews <Mark_Andrews@isc.org> Tue, 12 August 2008 15:11 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A95F23A6B3B; Tue, 12 Aug 2008 08:11:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.439
X-Spam-Level:
X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[AWL=0.160, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OICmcbkLLHox; Tue, 12 Aug 2008 08:11:13 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 27BEE3A6A5F; Tue, 12 Aug 2008 08:11:13 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSvPx-0009xr-BK for namedroppers-data@psg.com; Tue, 12 Aug 2008 15:04:13 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KSvPp-0009wH-Lb for namedroppers@ops.ietf.org; Tue, 12 Aug 2008 15:04:09 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m7CF3taj069712; Wed, 13 Aug 2008 01:03:56 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808121503.m7CF3taj069712@drugs.dv.isc.org>
To: Tony Finch <dot@dotat.at>
Cc: Michael StJohns <mstjohns@comcast.net>, namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
In-reply-to: Your message of "Tue, 12 Aug 2008 14:59:53 +0100." <alpine.LSU.1.10.0808121452401.19189@hermes-1.csi.cam.ac.uk>
Date: Wed, 13 Aug 2008 01:03:55 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> On Mon, 11 Aug 2008, Michael StJohns wrote:
> >
> > SSL/TLS has the nice properties that I can deploy it per server (e.g. I
> > can get incremental benefit), that I can do off-tree validations, and
> > that a hell of a lot of servers already implement it.
> 
> It has the problem that a large proportion of MXs that offer TLS have the
> wrong certificate, so you can't easily turn on certificate verification
> for your outgoing email.  There's essentially no requirement for
> certificate verification in the specification, nor is it clear exactly
> which domain you are supposed to compare against any certificate.

	The certificate should match the host name in the reply to
	the HELO message which should in turn also match EXCHANGE
	in the MX record in the general case.

	Checking the later part was specified in RFC 821 Section
	3.5. OPENING AND CLOSING.

      "At the time the transmission channel is opened there is an
      exchange to ensure that the hosts are communicating with the
      hosts they think they are."

	The former is a logical extension.

	Mark

> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> NORTH UTSIRE SOUTH UTSIRE: SOUTHEASTERLY 4, BACKING NORTHEASTERLY 5 TO 7 FOR 
> A
> TIME. MODERATE OR ROUGH. RAIN OR SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR
> .
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email