Re: [dnsext] New RRTYPE assignment request: SSLFP RRTYPE Request
Edward Lewis <Ed.Lewis@neustar.biz> Mon, 13 April 2009 20:47 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D61B3A68E3; Mon, 13 Apr 2009 13:47:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.843
X-Spam-Level:
X-Spam-Status: No, score=-0.843 tagged_above=-999 required=5 tests=[AWL=-0.349, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92WFOsO33CnT; Mon, 13 Apr 2009 13:47:43 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 334813A67D8; Mon, 13 Apr 2009 13:47:43 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1LtT1l-0000Pa-NC for namedroppers-data0@psg.com; Mon, 13 Apr 2009 20:45:13 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1LtT1Y-0000Nt-JN for namedroppers@ops.ietf.org; Mon, 13 Apr 2009 20:45:07 +0000
Received: from [10.31.200.240] (ns.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n3DKirJu030207; Mon, 13 Apr 2009 16:44:53 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240801c6094fd0c6d6@[192.168.1.104]>
In-Reply-To: <20090413200002.GB24286@shinkuro.com>
References: <20090413200002.GB24286@shinkuro.com>
Date: Mon, 13 Apr 2009 16:44:32 -0400
To: namedroppers@ops.ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: [dnsext] New RRTYPE assignment request: SSLFP RRTYPE Request
Cc: ed.lewis@neustar.biz
Content-Type: multipart/alternative; boundary="============_-972467003==_ma============"
X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
So, it's like this?
hostname.example.tld. AAAA 2003:82BF:9E21::CAFE:BEEF
_http._tcp.hostname.example.tld. TLSFP 80 0 5 1 F6CD025B3F5D03040895 (
05354A0115584B56D683 )
_http._tcp.hostname.example.tld. TLSFP 80 0 5 1 584B56D683F6CD025B3F (
5D0304089505354A0115 )
_ssh._tcp.hostname.example.tld. TLSFP 22 1 2 1 123456789abcdef67890 )
123456789abcdef67890 (
(latter instead of)
_ssh._tcp.hostname.example.tld. SSHFP 2 1 123456789abcdef67890 )
123456789abcdef67890 (
Positioning this as an improvement on the SRV record is certainly
more promising that this old proposal to extend the KEY RR
(http://www.potaroo.net/ietf/all-ids/draft-lewis-dnsext-key-genprot-00.txt).
I mention the latter because it was part of the SYKED BOF, which
tried to organize the three proposals to put application keys into
the DNS - the SSH proposal which did make it to an RFC, a proposal
for IPSEC which also went to RFC were the other two. The KEY RR
generic was dropped.
The "con" to the idea was the thought of putting too much emphasis on
the security of DNSSEC, i.e., if the DNS key was mangled, other
protocols could then be mangled. I don't know if I really buy that
argument, but it was the big hit SYKED took from the Security Area.
But SSH and IPSECKEY (the WG name) got specific key proposals through.
I think it's a good idea, I think the discussion is over the security
models of the applications and how much fate sharing they can take
with DNSSEC.
At 16:00 -0400 4/13/09, Andrew Sullivan wrote:
>Dear colleagues,
>
>I hereby post the attached template for public review, under the terms
>of RFC 5395. This posting begins the formal comment period under
>section 3.1.1 (1) in RFC 5395.
>
>Due to the unavailability of others, I'll be the expert performing
>this review.
>
>Please provide any comments you have on the proposal by 17:00 EDT on
>2009-05-04. I may not be able to consider comments received after
>that time.
>
>Best regards,
>
>Andrew
>
>--
>Andrew Sullivan
>ajs@shinkuro.com
>Shinkuro, Inc.
>
>Attachment converted: Macintosh HD:sslfp-rr-request.txt (TEXT/ttxt) (00348806)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Getting everything you want is easy if you don't want much.
- [dnsext] New RRTYPE assignment request: SSLFP RRT… Andrew Sullivan
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Edward Lewis
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Paul Hoffman
- TLSFP! Not SSLFP! (was: [dnsext] New RRTYPE assig… Andrew Sullivan
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Donald Eastlake
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Ondřej Surý
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Florian Weimer
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Olafur Gudmundsson
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Peter Koch
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Florian Weimer
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Ondřej Surý
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Florian Weimer
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Edward Lewis
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Ondřej Surý
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Ondřej Surý
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Peter Koch
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Paul Hoffman
- Re: [dnsext] New RRTYPE assignment request: SSLFP… Samuel Weiler
- [dnsext] Status of TLSFP RRTYPE Request Andrew Sullivan