IETF Logo Mail Archive

Re: [DNSOP] SRV-related _underscore registry (was Re: Call for Adoption: draft-crocker-dns-attrleaf)

"John Levine" <johnl@taugh.com> Tue, 01 March 2016 18:14 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14C411B3148 for <dnsop@ietfa.amsl.com>; Tue, 1 Mar 2016 10:14:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.037
X-Spam-Level:
X-Spam-Status: No, score=-1.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aV885HyclfwV for <dnsop@ietfa.amsl.com>; Tue, 1 Mar 2016 10:14:01 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D548A1B313B for <dnsop@ietf.org>; Tue, 1 Mar 2016 10:14:00 -0800 (PST)
Received: (qmail 86240 invoked from network); 1 Mar 2016 18:13:55 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 1 Mar 2016 18:13:55 -0000
Date: Tue, 01 Mar 2016 18:13:32 -0000
Message-ID: <20160301181332.71478.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <CAMm+LwjJ0xe2wDW98JHJfV5jV3xTeuMNguU=rkqrZMzmei2iHA@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/t_9j5RmIfbJYBuY7vWZH6si7Z3g>
Cc: phill@hallambaker.com
Subject: Re: [DNSOP] SRV-related _underscore registry (was Re: Call for Adoption: draft-crocker-dns-attrleaf)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2016 18:14:02 -0000

>So while SRV and NAPTR and the TXT records are stuck using the two
>level approach, there is also a clear need for a meta-discovery record
>that only uses the service prefix.

Maybe.

>Using SRV discovery you might use:
>
>_mmm._tcp.example.com SRV 1 10 80 host1.example.com
>_mmm._tcp.example.com SRV 1 10 443 host2.example.com
>
>This is OK but its rather ugly. Does port 80 vs 443 entail the
>implicit use of TLS?

The practice to date has been to register separate service names for
versions of a service that do implicit TLS, e.g., http and https, imap
and imaps, pop3 and pop3s, sip and sips.  This is a kludge but it's a
well established kludge.  Service names are cheap, so it's a cheap
kludge.

> If so what factors would determine the SSL trust anchor?

RFC 6698 would tell you to look up the TLSA record at
_443._tcp.example.com.  (Note the port number rather than service
name, specifically to handle TLS services on nonstandard ports.)  In
the absence of DANE you presumably use whatever trust anchor you use.

R's,
John

v2.23.0 | Report a Bug | By Email