Version 04 addresses all my comments, thank you!
If you decide to mention me in the document feel to use "Petr Spacek" as
ASCII version of my name to avoid the Unicode madness.
Have a nice day.
Petr Špaček @ CZ.NIC
On 02/17/2017 10:38 PM, Wes Hardaker wrote:
>
> For those following along with
> On Feb 20, 2017, at 4:19 PM, dnsop-requ...@ietf.org wrote:
>
> Accept that TLSA is dead. Don't tilt at windmills with yet more discovery
> schemes.
There at least ~2400 MX hosts with published TLSA records for SMTP serving over
100k domains and growing. In addition to Postfix and Exim, vendo
It's hard to find issue trackers if they are not recorded as such.
https://github.com/Abhayakara/draft-tldr-sutld-ps/issues
should be listed as the issues tracker for
https://datatracker.ietf.org/doc/draft-ietf-dnsop-sutld-ps/
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Austr
In message
, Phillip Hallam-Baker writes:
> On Mon, Feb 20, 2017 at 8:42 PM, Mark Andrews wrote:
>
> >
> >
> > Zero if it is done right. We can easily extend the DNS to say
> > "Fetch the additional record for the SRV records before answering"
> > if you have this EDNS option present or just ha
On Mon, Feb 20, 2017 at 8:42 PM, Mark Andrews wrote:
>
>
> Zero if it is done right. We can easily extend the DNS to say
> "Fetch the additional record for the SRV records before answering"
> if you have this EDNS option present or just have the server do it
> without the option. There is nothi
In message
, Phillip Hallam-Baker writes:
> On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz wrote:
>
> > On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker <
> > ph...@hallambaker.com> wrote:
> >
> >> I really don't like the proposal at all. The idea of beginning the TLS
> >> handshake in DNS i
script to find the cert hashes that will reveal the specific site is too
hard so never mind?
Isn't the server's certificate encrypted in TLS 1.3?
Yes, but Tony's proposal as I understood it was to use the hash from a
TLSA certificate instead of the text of the SNI domain.
Regards,
John Levi
On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz wrote:
> On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker <
> ph...@hallambaker.com> wrote:
>
>> I really don't like the proposal at all. The idea of beginning the TLS
>> handshake in DNS is sound. But it is a completely new handshake and
>> auth
John R Levine wrote:
> > http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is
> > hosted by Akamai on 23.38.103.18.
> > According to DNSDB (IMO the best passive DNS service), there are 605
> > other sites *also* hosted on 23.38.103.18.
>
> > No doubt pervasive monitors (and other
http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is
hosted by Akamai on 23.38.103.18.
According to DNSDB (IMO the best passive DNS service), there are 605
other sites *also* hosted on 23.38.103.18.
No doubt pervasive monitors (and others) will use passive DNS systems
to build
On Mon, Feb 20, 2017 at 4:19 PM, John Levine wrote:
> In article you write:
>>Would it be easier or harder, instead of adding a new SNI RRtype, to use
>>DANE TLSA records to identify the server's cert or key, and use a
>>variation of TLS SNI to request the cert by digest instead of by name?
>
> I
In article you write:
>Would it be easier or harder, instead of adding a new SNI RRtype, to use
>DANE TLSA records to identify the server's cert or key, and use a
>variation of TLS SNI to request the cert by digest instead of by name?
I don't see how that would help. Using passive DNS it's easy
I really don't like the proposal at all. The idea of beginning the TLS
handshake in DNS is sound. But it is a completely new handshake and
authentication layer.
Right now we have a bit of a mess with service discovery. We have a solid
proposal that makes sense written up as a standard and we have
Would it be easier or harder, instead of adding a new SNI RRtype, to use
DANE TLSA records to identify the server's cert or key, and use a
variation of TLS SNI to request the cert by digest instead of by name?
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Hebrides, Bailey
14 matches
Mail list logo