I would suggest writing an Internet-Draft to start the discussion.
You are the second person to make this suggestion. Can you help me understand
what is unclear or missing from the current (W3C-formatted) document, linked in
my initial mail?
Partly, it's the way the IETF works, partly the structure of an I-D will
encourage you (or whoever) to fill out bits that you may have overlooked,
like the security considerations.
The security properties of a DNS record are quite different from a
well-known URI. If you know that the file for foo.example.com is on a web
server at example.com, the client can verify that there's an SSL
certficate with the expected domain name. But if you get the URL or
domain name from a DNS lookup, you have no verification at all unless it's
signed with DNSSEC and the client program checks the signature. In
practice hardly anyone does DNSSEC signing, under 5% of .COM.
I used to think that malicious DNS stealers were a largely hypothetical
issue, but look at this story published just today about state actors
hacking soho routers to send the DNS queries to Russia:
https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
R's,
John
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
