Re: [DNSOP] introducing a couple of RRTypes (CRC/CRS) for B2B applications

Tue, 12 Apr 2022 05:28:34 -0700 

On Tue, 12 Apr 2022, Eugène Adell wrote:


Beyond the technical aspects, there are several different persons to
think about in our case : the DNS administrator obviously, the
decision maker buying (or not) a secured online service, and the CISO.


Why should this information exchange happen via DNS?


It looks more simple to have dedicated RR types to let them
communicate together


It seems a REST API using some .well-known HTTPS link seems a better
fit ?


After your comments and correcting a typo, it gives
ftp.example.com_21.example.net
Such domain name for sure doesn't exist and uses the underscore
character as separator. It has to be considered as storing data
establishing a kind of contract between the two organizations
involved.


It should have a dot in between, eg ftp.example.com._21.example.net.
Then, the underscore name should be uniquely identifying to split it
from other DNS records. eg _crs or something. Have a look at other
documents at 
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names


5.
I give some explanation in the answer 1 but I will rephrase. The CRS
record can be used before subscribing to a service (typically any
storage/log system/SIEM) as an indicator that this service provides
the kind of authorization process described in the document.


I still wonder if DNS is really the right fit for this.


  This document specifies the Client Roaming Control (CRC) DNS Resource
  Record allowing an organization to better control the access to
  third-party applications over Internet.  The applications
  implementing an authorization mechanism to honor the CRC, publish on
  their side the Client Roaming Support (CRS) Resource Record to inform
  of this support.


There is a big overlap here with MUD, see 
https://datatracker.ietf.org/doc/html/rfc8520

It also seems the source of authorization depends on the DNS name, but
how do you ensure a device would not be lying about their name? Would
this only work on zones with static DNS entries? If so, how would that
scale?

What would be the mechanism to authorize the publishing of CRS/CRC
records, and why can that provisioning protocol not also be used
to query/signal this data?

Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to