On 4/14/11 2:22 PM, Philipp Hancke wrote: <snip/>
> Actually, I mostly disagree with the "removed requirement for the > Receiving Server to close the stream if the dialback key is invalid" > stuff. From the security POV, why should the receiving server not > terminate the stream? Because, from the performance point of view, it doesn't want to discard the 10,000 valid domains it already supports on that stream. That's a huge cost to impose on the server just because the 10,001st domain has a DNSSEC problem. For traditional dialback the force-close requirement is fine. For dialback as used for domain name assertions with DNSSEC it seems too strong to me. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature