On Thu, Jul 02, 2015 at 11:29:45PM +0300, Yoav Nir wrote:
> > The hard part is the transport-mode use-case.
>
> If the SPD entries are specific and pre-configured, the same reasoning as
> for VPNs applies. Things change if you want the SPD and PAD to be dynamic,
> such as reading them from DNS.
Dynamic.
> There is RFC 4025 with the IPSECKEY record. So when the application performs
> a DNS lookup for www.example.com, the OS could also ask for an IPSECKEY
> record and get both public key and a gateway address. If we set the gateway
> address to be equal to the server address, this is the transport-mode
> use-case. Again, this all begins with the DNS name, so mallory cannot do
> anything.
Mallory can often trigger DNS lookups for her own domain, which
can return IP addresses that collide with Alice's domain. How
is that handled?
--
Viktor.
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
