Justin Karneges wrote: > On Thursday 15 January 2009 08:51:30 Peter Saint-Andre wrote: >> As we discussed in the jdev room yesterday, I think you would use the >> machine-name that you discovered via SRV lookup: >> >> http://logs.jabber.org/j...@conference.jabber.org/2009-01-14.html#16:01:06 > > Yes, this is the consensus. > > There is, however, some worry about DNS-based attacks, since the connect host > is derived insecurely through the SRV lookup.
Correct. > One obvious but totally > impractical fix is to use DNSSEC. DNSSEC is seeing more deployment, but it's taking a long time. I don't know that I'd call it totally impractical, though. > Another is to use XEP-233. AFAIK, no servers implement that yet, and in any case it was designed for a slightly different use case (basically situations in which DNS SRV results don't tell you the hostname of the connection manager you're talking to because load balancers are in use). > Yet another is > to offer some explicit trust mechanisms in the client (e.g. a field where the > user can type the connect host in advance, to mark as trusted). Right. This is similar to how some clients handle such things now. See rfc3920bis for details: http://xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-08.html#tcp-resolution /psa _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
