On Fri, Feb 07, 2014 at 08:49:13PM -0500, Paul Wouters wrote:
> I'm sure the spammers have awesome LHS dictionaries gathered over the
> years. Your proposal does not actually add any security.
If that's the group consensus, fine. Though it seems to me that
including the domain in the hash is essentially free, so why not?
> >Bottom line, hash the full address, not just the localpart.
>
I just thought you'd do the simplest thing that costs nothing and
turns the attack from a single dictionary into a per-sites attack.
I did not see any downside.
> The hashing is not a security feature. Hashing the domain brings in
> other problems, such as case sensitivity that changes hashes but not
> DNS names.
Don't see how. The domain would be canonicalized to lower case
before hashing, just as with NSEC3.
> Also, not using the domain name allows for CNAME/DNAME entries, so for
> example I can add the same record in my "libreswan.org" zone that is
> used as DNAME for libreswan.{net|com|ca|fi|nl}. Adding the domain into
> the hash would break this setup.
Indeed hashing the domain would cause a problem with DNAMEs.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
