IETF Logo Mail Archive

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Patrik Fältström <paf@frobbit.se> Fri, 06 March 2015 06:29 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A54CF1ACCED for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 22:29:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfQ3NSFg2GRv for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 22:29:07 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 622431ACCE6 for <ietf@ietf.org>; Thu, 5 Mar 2015 22:28:59 -0800 (PST)
Received: from [IPv6:2a02:80:3ffc::9148:8e10:ad61:ffb0] (unknown [IPv6:2a02:80:3ffc:0:9148:8e10:ad61:ffb0]) by mail.frobbit.se (Postfix) with ESMTPSA id DA284205A7; Fri, 6 Mar 2015 07:28:56 +0100 (CET)
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_8A1BDF50-F6C9-48E4-8393-14BD38CDA9B5"; protocol="application/pgp-signature"; micalg="pgp-sha1"
X-Pgp-Agent: GPGMail 2.5b5
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <707B021F63C5C411E563AE4B@JcK-HP8200.jck.com>
Date: Fri, 06 Mar 2015 07:28:55 +0100
Message-Id: <93DFD15D-4ED3-4FEE-B26B-F6578459137D@frobbit.se>
References: <tsl8ufoh9ko.fsf@mit.edu> <2DF7230C-D1D8-4B21-9003-B336108A38CB@vpnc.org> <20150224172649.GX1260@mournblade.imrryr.org> <tslvbircj0d.fsf@mit.edu> <0325DF3F-17F3-4400-BDEA-EDB5334BF35C@frobbit.se> <20150225180227.GT1260@mournblade.imrryr.org> <7AB921D35A7F9B23A53BD11A@JcK-HP8200.jck.com> <tslvbip8io6.fsf@mit.edu> <54F09A35.9060506@qti.qualcomm.com> <54F78650.6070503@qti.qualcomm.com> <20150305064513.GH1260@mournblade.imrryr.org> <54F7FE09.3030200@cisco.com> <7111545C27DE9021135BE185@JcK-HP8200.jck.com> <tslegp3o0zn.fsf@mit.edu> <6FC72D10-6AF2-4F84-B1AC-27F5B7E632AC@frobbit.se> <707B021F63C5C411E563AE4B@JcK-HP8200.jck.com>
To: John Klensin <john-ietf@jck.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/8DLQ-6iPeLOi7JsdxY_lyfK3FUU>
X-Mailman-Approved-At: Fri, 06 Mar 2015 08:13:11 -0800
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, ietf@ietf.org, Pete Resnick <presnick@qti.qualcomm.com>, Mark Nottingham <mnot@mnot.net>, Sam Hartman <hartmans-ietf@mit.edu>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 06:29:08 -0000

Thanks for the comments. While digesting them, I have one comment:

> On 6 mar 2015, at 07:14, John C Klensin <john-ietf@jck.com> wrote:
> 
> Generally, while I think you should warn that URI records may
> cause some risks that do not exist with, e.g., conventional name
> to address mappings (note that the "downgrade attack or not"
> considerations above would apply equally well to:
> 
>  foo.example.com.  IN A 10.2.0.44
> being diverted into a response of
>  foo.example.com.  IN A 10.0.0.6
> 
> (which would be, historically, a likely upgrade attack, but it
> has nothing to do with URI records but is equally preventable by
> an integrity check.))
> 
> As long as there is a warning, I really don't care very much
> what you say, but whatever you do say should be as accurate as
> possible.

I also see tons of zeroconf stuff (Apple Bonjour) using DNS already today in the geographically local context without much DNSSEC.

   Patrik

v2.23.0 | Report a Bug | By Email