Re: [DNSOP] Question about usage of ip6.arpa and in-addr.arpa

Paul Vixie <vixie@fsi.io> Mon, 12 March 2018 23:47 UTC

Return-Path: <vixie@fsi.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4641250B8 for <dnsop@ietfa.amsl.com>; Mon, 12 Mar 2018 16:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8HOaSB9TZbXD for <dnsop@ietfa.amsl.com>; Mon, 12 Mar 2018 16:47:00 -0700 (PDT)
Received: from mail.fsi.io (mail.fsi.io [104.244.13.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D80B3124F57 for <dnsop@ietf.org>; Mon, 12 Mar 2018 16:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at fsi.io
Sender: vixie@fsi.io
Received: from tums.local (p548C9DB3.dip0.t-ipconnect.de [84.140.157.179]) (Authenticated sender: vixie) by mail.fsi.io (Postfix) with ESMTPSA id 343DA6027D; Mon, 12 Mar 2018 23:46:53 +0000 (UTC)
From: Paul Vixie <vixie@fsi.io>
To: dnsop@ietf.org
Cc: Jim Reid <jim@rfc1035.com>, Paul Hoffman <paul.hoffman@vpnc.org>
Date: Mon, 12 Mar 2018 23:43:52 +0000
Message-ID: <1901968.hGXDQp3ZVe@tums.local>
Organization: Farsight Security, Inc.
In-Reply-To: <7B867A66-4B80-4070-ACA9-7C94A63FBC17@rfc1035.com>
References: <B7531E71-AC04-4D40-86B0-74F2DCA92446@letsencrypt.org> <0EE4F82D-AD7B-4D50-B415-6B5558B7E974@vpnc.org> <7B867A66-4B80-4070-ACA9-7C94A63FBC17@rfc1035.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RMW_il1_mcO9uOkoy0A0AnVcHQM>
Subject: Re: [DNSOP] Question about usage of ip6.arpa and in-addr.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2018 23:47:02 -0000

On Monday, March 12, 2018 11:12:36 PM GMT Jim Reid wrote:
> > On 12 Mar 2018, at 17:37, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> > 
> > If the use case here is to be able to issue certificates for TLS servers
> > based on the IP address instead of the domain name, creating something
> > new in the DNS may be overkill. That is, why even have Section 4.1 of
> > draft-ietf-acme-ip at all? What's wrong with only having direct HTTPS
> > access?
> Is web the only protocol that runs on the Internet now? I realise that might
> seem to be the case these days, but even so... :-)

we need to use TLS to secure both dns-over-https and some forms of TCP/53 in 
which the server's address is known but not its name.

-- 
Vixie