Re: [DNSOP] Published: draft-hardaker-rfc5011-security-considerations-04.txt

Version 04 addresses all my comments, thank you! If you decide to mention me in the document feel to use "Petr Spacek" as ASCII version of my name to avoid the Unicode madness. Have a nice day. Petr Špaček @ CZ.NIC On 02/17/2017 10:38 PM, Wes Hardaker wrote: > > For those following along

Re: [DNSOP] DNSOP Digest, Vol 123, Issue 70

> On Feb 20, 2017, at 4:19 PM, dnsop-requ...@ietf.org wrote: > > Accept that TLSA is dead. Don't tilt at windmills with yet more discovery > schemes. There at least ~2400 MX hosts with published TLSA records for SMTP serving over 100k domains and growing. In addition to Postfix and Exim,

[DNSOP] finding the issue tracker

It's hard to find issue trackers if they are not recorded as such. https://github.com/Abhayakara/draft-tldr-sutld-ps/issues should be listed as the issues tracker for https://datatracker.ietf.org/doc/draft-ietf-dnsop-sutld-ps/ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117,

Re: [DNSOP] Proposal for a new record type: SNI

In message , Phillip Hallam-Baker writes: > On Mon, Feb 20, 2017 at 8:42 PM, Mark Andrews wrote: > > > > > > > Zero if it is done right. We can easily extend the DNS to say > > "Fetch the additional record for

Re: [DNSOP] Proposal for a new record type: SNI

On Mon, Feb 20, 2017 at 8:42 PM, Mark Andrews wrote: > > > Zero if it is done right. We can easily extend the DNS to say > "Fetch the additional record for the SRV records before answering" > if you have this EDNS option present or just have the server do it > without the option.

Re: [DNSOP] Proposal for a new record type: SNI

In message , Phillip Hallam-Baker writes: > On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz wrote: > > > On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker < > > ph...@hallambaker.com> wrote: > > > >> I

Re: [DNSOP] Proposal for a new record type: SNI

script to find the cert hashes that will reveal the specific site is too hard so never mind? Isn't the server's certificate encrypted in TLS 1.3? Yes, but Tony's proposal as I understood it was to use the hash from a TLSA certificate instead of the text of the SNI domain. Regards, John

Re: [DNSOP] Proposal for a new record type: SNI

On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz wrote: > On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker < > ph...@hallambaker.com> wrote: > >> I really don't like the proposal at all. The idea of beginning the TLS >> handshake in DNS is sound. But it is a completely new

Re: [DNSOP] Proposal for a new record type: SNI

John R Levine wrote: > > http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is > > hosted by Akamai on 23.38.103.18. > > According to DNSDB (IMO the best passive DNS service), there are 605 > > other sites *also* hosted on 23.38.103.18. > > > No doubt pervasive monitors (and

Re: [DNSOP] Proposal for a new record type: SNI

http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is hosted by Akamai on 23.38.103.18. According to DNSDB (IMO the best passive DNS service), there are 605 other sites *also* hosted on 23.38.103.18. No doubt pervasive monitors (and others) will use passive DNS systems to

Re: [DNSOP] Proposal for a new record type: SNI

On Mon, Feb 20, 2017 at 4:19 PM, John Levine wrote: > In article you write: >>Would it be easier or harder, instead of adding a new SNI RRtype, to use >>DANE TLSA records to identify the server's cert or key, and use a

Re: [DNSOP] Proposal for a new record type: SNI

In article you write: >Would it be easier or harder, instead of adding a new SNI RRtype, to use >DANE TLSA records to identify the server's cert or key, and use a >variation of TLS SNI to request the cert by digest instead of by name? I

Re: [DNSOP] Proposal for a new record type: SNI

I really don't like the proposal at all. The idea of beginning the TLS handshake in DNS is sound. But it is a completely new handshake and authentication layer. Right now we have a bit of a mess with service discovery. We have a solid proposal that makes sense written up as a standard and we have