Hi, > Besides DNSSEC, or some other secure mapping service, I can't think > of an obvious one. You'd need to figure out how to encode the service > identity in the DNS query name, which is precisely the thing the > S-NAPTR lookup is trying to find. >
Thanks for giving this some thought! >> And do you consider disususing this issue in your draft? >> >> > Are you proposing to just discuss this issue, or that we should > try to find a solution to the problem? > I wouldn't mind if you try to solve it, of course :-) But since there is apparently no trivial "fix" to server id validation, I'd be just as happy with a simple paragraph stating that validation of (S-)NAPTR-derived identities doesn't work in a trusted manner without DNSSEC. (But that's just me, since I don't mind prescribing DNSSEC in my draft; but my working group chair already expressed that he'd prefer something else) Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
