On Jun 8, 2012, at 04:54, Tony Finch wrote: > Matt Miller <[email protected]> wrote: >> On Jun 7, 2012, at 15:12, Peter Saint-Andre wrote: > > Glad we're all pretty much agreeing :-) One further question: > >> If this specification is about DNSSEC with DANE goodness, then I do >> think the A/AAAA verification is necessary, or at least recommended. > > What advantage does the verification have, if the client is going to check > the server certificate? (I'm assuming that bogus == DNS lookup failure, so > the question is about secure vs. insecure.) The client is knows the SRV > record is secure so the link from source domain to derived domain is > secure. If the address records are insecure, the client needs to check a > certificate to be sure the server is the right one; the client gets the > same level of assurance whether it matches the source or derived domain. >
I was thinking of a case where a hosting provider ("hosting.example.net" in our
text) has their DNS entries hijacked, and the hijacker finds a CA that will
issue them certs for the hijacked name. My thinking was this can be mitigated
by verifying the A/AAAA records.
That was my thinking, but I'm less convinced it's worth covering now, and will
probably remove in the next revision.
- m&m
Matt Miller - <[email protected]>
Cisco Systems, Inc.
smime.p7s
Description: S/MIME cryptographic signature
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
