Another problem of using DNS is: name resolution itself is not secure if DNSSEC is not used (true im most cases). Dependency on DNS may introduce new security vulnerable to Syslog/TLS.
Client should use knowledge a priori to check server's certificate, such as URL, if it is available. > -----Original Message----- > From: Balazs Scheidler [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 20, 2006 11:40 PM > To: David B Harrington > Cc: [EMAIL PROTECTED] > Subject: RE: [Syslog] Summary of the syslog/tls issues resolving > > On Thu, 2006-04-20 at 11:34 -0400, David B Harrington wrote: > > Hi, > > > > I also have concerns about depending on DNS. > > > > I want to be sure I understand what you are suggesting as an > > alternative. > > Is the mapping from IP to hostname operator-defined in a static way? > > > > What happens, network-management-wise, when an IP address > changes for > > a given host, or more importantly, is reissued to a different host? > > I would say that the client should be configured to log to > log://loghost.domain/ instead of logging to an IP address. > (maybe we can also define an URL format, but not necessarily) > > In this case the name of the host is in the URL, and this is > what the certificate should be compared against. This way we > only rely on the DNS to forward-resolve hostnames which should work. > > -- > Bazsi > > > _______________________________________________ > Syslog mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
