Re: Summary of the LLMNR Last Call

Bernard Aboba <> Tue, 20 September 2005 17:56 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1EHmLh-0002pf-Br; Tue, 20 Sep 2005 13:56:09 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1EHmLe-0002pV-L4 for; Tue, 20 Sep 2005 13:56:06 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id NAA19376 for <>; Tue, 20 Sep 2005 13:56:02 -0400 (EDT)
Received: from ([] ident=mailnull) by with esmtp (Exim 4.43) id 1EHmRS-0004zn-I5 for; Tue, 20 Sep 2005 14:02:08 -0400
Received: from ([] by with esmtpa (Exim 4.51) id 1EHmLU-000LwS-AI; Tue, 20 Sep 2005 13:55:56 -0400
Received: by (Postfix, from userid 1000) id 3D86934FB1; Tue, 20 Sep 2005 10:55:56 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2CC4A32889; Tue, 20 Sep 2005 10:55:56 -0700 (PDT)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: aboba
Date: Tue, 20 Sep 2005 10:55:56 -0700 (PDT)
From: Bernard Aboba <>
To: "Steven M. Bellovin" <>
In-Reply-To: <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 08170828343bcf1325e4a0fb4584481c
Cc: Margaret Wasserman <>,
Subject: Re: Summary of the LLMNR Last Call
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

> DNSsec is very important for other reasons, such as the current 
> pharming attacks.  The risks have been known in the security community 
> since at least 1991, and publicly since at least 1995.  The long-
> predicted attacks are now happening.  We really need to get DNSsec
> deployed, independent of mDNS or LLMNR.  Given that there is now some 
> forward progress on DNSsec, it's not at all unreasonable for either or 
> both of those specs to rely on it to solve some of their particular 
> security risks.

Couldn't agree more.  But if I'm not mistaken, the current DNSSEC 
specifications do not mandate that DNS stub resolvers be DNSSEC-aware 
validating, which is what would be required for use in a peer-to-peer name 
resolution protocol.  There is also the DNSEXT WG edict that mDNS/LLMNR 
not share a cache with DNS, which makes it difficult for mDNS/LLMNR to 
utilize trust anchors or acquired keys present in the DNS cache. 

Ietf mailing list