Cleanup of my prior message: Matt McCutchen wrote: > > On Thu, 2010-09-16 at 07:27 +0200, Martin Rex wrote: > > Clearly unsafe operations: > > > > - building a reference identifier from the result of a > > DNS CNAME lookup > > > > (the use of DNSSEC does not make this safe) > > Why not? I'm not saying it's good practice, but I don't see an actual > vulnerability.
You need two characteristics: (1) _trustworty_ information source for a name transformation (2) _protected_access_ to the information source DNSSEC meets (2) but not (1) DNSSEC provides only data integrity protection and data origin authentication for the distribution of the informtion. The use of DNSSEC for distribution of DNS data has zero impact on the quality, accuracy and trustworthyness of the underlying DNS information source. If Wikipedia enables TLS on their web-servers tomorrow so that you can access it through https://www.wikipedia.org/ what impact will this have on the trustworthyness of the information in Wikipedia articles? When there is no change to how others can access wikipedia and edit the content, your selection of accessing Wikipedia through HTTPS instead of HTTP will have exactly _zero_ impact on the trustworthyness of the information in wikipedia articles. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
