WFM, thanks. On Dec 7, 2010, at 1:29 PM, Peter Saint-Andre wrote:
> Regarding NAPTR... > > On 12/6/10 10:19 AM, Ben Campbell wrote: > >> -- 1.4.2, 2nd bullet item: "We also do not address identifiers >> derived from Naming Authority Pointer (NAPTR) DNS resource records >> [NAPTR] and related technologies such as [S-NAPTR], since such >> identifiers cannot be validated in a trusted manner in the absence of >> [DNSSEC]." >> >> Does that mean validation of a source domain that will be used to >> construct a NAPTR request is out of scope, or just validation against >> the result of a NAPTR query? (I note SIP may require the first). > > Ben, the current text in the I-D is lame. The points we were trying to > make, but poorly, are that (1) there are no identifiers for NAPTR > records, as there are for SRV records, and (2) from the perspective of > this spec it doesn't really matter how you get from the source domain to > the IP address you use for communication (perhaps you do the A/AAAA > one-step, the SRV two-step, or the NAPTR three-step, but that's > immaterial for the purpose of identity checking). > > Point #1 is close to obvious, so I suggest that we remove the offending > sentence and add this paragraph near the end of Section 1.4.2: > > Although the process whereby a client resolves the DNS domain name of > an application service can involve several steps (e.g., this is true > of resolutions that depend on DNS SRV resource records, Naming > Authority Pointer (NAPTR) DNS resource records [NAPTR], and related > technologies such as [S-NAPTR]), for our purposes we care only about > the fact that the client needs to verify the identity of the entity > with which it communicates as a result of the resolution process. > The resolution process itself is out of scope. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > > _______________________________________________ > Gen-art mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/gen-art _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
