Re: [DNSOP] Prefixed name spaces and DANE client TLSA

Wed, 13 Jan 2016 09:12:52 -0800 

Yet the IANA registry seems to have a provision for registering
client service names (i.e. application specific identifiers used by
clients).



It might seem that way if we didn't look too closely.  All of the service 
names that contain words like "client" have reserved port numbers so they 
are in fact services.  For example port 5222, xmpp-client, is for 
client-to server xmpp connections as opposed to port 5269, xmpp-server, 
for server-to-server connections.  See RFC 6120.



As for cluttering up the namespace in a DNS zone and causing collisions 
(John Levine's contention), I don't buy it. These application labels are 
organized underneath "client-specific" domain names - this does not meet 
my definition of cluttering. ...



It's cluttering up the namespace of prefixed names.  I am a lazy guy, I 
see that the set of protocols used by clients is by definition exactly the 
same set of protocols used by servers, and we already have a registry for 
those.  So rather than spending time and effort inventing a new name every 
time I want to publish a cert for a client of another service, I'm going 
to invent one rule that solves the client naming problem forever:



We reserve the single pseudo-service name "client", and the client label 
that corresponds to any service label _foo is _foo._client.  All done.



Actually, that was one my original proposals outlined in -00 of the draft.


That was close, but you got the names backward.


Here's a concrete example.  My laptop is named mypc.example.com. Because I 
am a forward thinking guy, I send a DANE-verified client cert whenever I 
connect for submission, POP, IMAP, or jabber, and because I'm still lazy, 
I use the same certificate for all of them.  The DNS records to tell the 
world about that are:


 $ORIGIN mypc.example.com
 _submission._client._tcp IN TLSA ... cert stuff ...
 _imap._client._tcp       IN CNAME _submission._client._tcp
 _imaps._client._tcp      IN CNAME _submission._client._tcp
 _pop3._client._tcp       IN CNAME _submission._client._tcp
 _pop3s._client._tcp      IN CNAME _submission._client._tcp
 _xmpp-client._client._tcp IN CNAME _submission._client._tcp

How would you do it?

R's,
John

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to