Re: [keyassure] Asserting DANE exclusivity for an entire domain
Zack Weinberg <zack.weinberg@sv.cmu.edu> Wed, 09 February 2011 19:39 UTC
Return-Path: <zack.weinberg@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A73093A69F1 for <keyassure@core3.amsl.com>; Wed, 9 Feb 2011 11:39:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29uYBxGlP2vO for <keyassure@core3.amsl.com>; Wed, 9 Feb 2011 11:39:26 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 8A3643A69E2 for <keyassure@ietf.org>; Wed, 9 Feb 2011 11:39:26 -0800 (PST)
Received: by wwa36 with SMTP id 36so564802wwa.13 for <keyassure@ietf.org>; Wed, 09 Feb 2011 11:39:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=n4pX/7RrHY/rzXhMkzQY9nnUvY1uffkRCzUGhyUB24o=; b=MUTVIV24GbNxm9V8ttne8K4J+tPDlTd4YCbjvHDttomIDmIO/WJGS+Q3DLQkAlUwCm 4YaJJw9eLwsI3e1jYfjkdymn7zqZmH9Ot5uNY4Qa+m03e6I+xb4HrXzkJ0I4szxxqyM0 GdyLQSivTpan7Q2dSbze6ne+wV+mTxK0SWCpg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=TEUadfrqV6pkHgH9/KbjweSi6nMP6Td27ZQ9mnA44jWmw9g/9tgVuZp00JFEvhdUqp uq7oBhHILFxw8+H0ds27lWr2JwxPtdT7LcfsGWCJSXfuF4/ZXLlqs7iJHQxv4GtjOSoC 3EEyM1QYbkbGhdT6+vq6mTr6Zr7c2NuhVMTl8=
MIME-Version: 1.0
Received: by 10.227.182.142 with SMTP id cc14mr1785448wbb.215.1297280375714; Wed, 09 Feb 2011 11:39:35 -0800 (PST)
Sender: zack.weinberg@gmail.com
Received: by 10.227.151.69 with HTTP; Wed, 9 Feb 2011 11:39:33 -0800 (PST)
In-Reply-To: <alpine.LFD.1.10.1102091229000.1794@newtla.xelerance.com>
References: <201102091639.p19GdWLP029306@fs4113.wdf.sap.corp> <alpine.LFD.1.10.1102091229000.1794@newtla.xelerance.com>
Date: Wed, 09 Feb 2011 11:39:33 -0800
X-Google-Sender-Auth: cf4EgojKqS4i6ZzxqSlmhyUU2M4
Message-ID: <AANLkTim7NzX5aBeip4rw3=c+Eat_gfyk2t4-K3ZFEG7-@mail.gmail.com>
From: Zack Weinberg <zack.weinberg@sv.cmu.edu>
To: Paul Wouters <paul@xelerance.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Asserting DANE exclusivity for an entire domain
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 19:39:27 -0000
On Wed, Feb 9, 2011 at 9:34 AM, Paul Wouters <paul@xelerance.com> wrote: > On Wed, 9 Feb 2011, Martin Rex wrote: > >>>>> I agree with this, but the question is how do you present an empty >>>>> list. >>>> >>>> What exactly would you want to convey with an empty list? >>>> >>>> "I won't respond to TLS, so don't even bother trying" >>> >>> More precisely, "there is no TLS service associated with this DNS >>> name/transport/port". Therefore, general-purpose clients that refer to >>> TLS services by DNS name/transport/port will not be able to make a >>> connection. > > What's wrong with an NSEC record for the TLSA/HASTLS record saying that? NSEC for any new DNS record MUST mean "behave as you would have prior to the invention of the new DNS record". To do otherwise would require a flag day for the entire Internet and therefore jeopardize not only the transition to whatever new DNS record is suggested, but the transition to DNSSEC itself. (However, a "bogus" DNSSEC validation state for any lookup at all can and should be treated as a MUST-refuse-to-proceed condition.) zw
- [keyassure] Asserting DANE exclusivity for an ent… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Jakob Schlyter
- Re: [keyassure] Asserting DANE exclusivity for an… Ondřej Surý
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Mark Andrews
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Olafur Gudmundsson