Regarding NAPTR... On 12/6/10 10:19 AM, Ben Campbell wrote:
> -- 1.4.2, 2nd bullet item: "We also do not address identifiers > derived from Naming Authority Pointer (NAPTR) DNS resource records > [NAPTR] and related technologies such as [S-NAPTR], since such > identifiers cannot be validated in a trusted manner in the absence of > [DNSSEC]." > > Does that mean validation of a source domain that will be used to > construct a NAPTR request is out of scope, or just validation against > the result of a NAPTR query? (I note SIP may require the first). Ben, the current text in the I-D is lame. The points we were trying to make, but poorly, are that (1) there are no identifiers for NAPTR records, as there are for SRV records, and (2) from the perspective of this spec it doesn't really matter how you get from the source domain to the IP address you use for communication (perhaps you do the A/AAAA one-step, the SRV two-step, or the NAPTR three-step, but that's immaterial for the purpose of identity checking). Point #1 is close to obvious, so I suggest that we remove the offending sentence and add this paragraph near the end of Section 1.4.2: Although the process whereby a client resolves the DNS domain name of an application service can involve several steps (e.g., this is true of resolutions that depend on DNS SRV resource records, Naming Authority Pointer (NAPTR) DNS resource records [NAPTR], and related technologies such as [S-NAPTR]), for our purposes we care only about the fact that the client needs to verify the identity of the entity with which it communicates as a result of the resolution process. The resolution process itself is out of scope. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
