In message <[email protected]>, "Olle E. Johansso n" writes: > Hi! > > Re-reading I found another issue that confuses me a bit: > > "SRV is secure: The reference identifiers SHALL include both the > service domain and the SRV target server host name (e.g., include > both "im.example.com" and "xmpp23.hosting.example.net"). The > target server host name is the preferred name for TLS SNI or its > equivalent." > > Why SHALL we include the service domain? I thought the reasoning here > was that the signed chain was the proof of authorization to handle a specific > service domain. I don't really see the point in having the service domain > in the cert as this generates issues with multi-hosting (as previously discus > sed). > > Again I may have missed previous conversation, so feel free to tell me to shu > t > up and send me pointers to those ;-) > > The SNI discussion is also a bit unclear. To be nitpicking, someone pointed > out to me that SNI only supports hostnames. If we want to ask for service > domains we have to register a new type of SNI if I understood it correctly. > This means that section 6 discussion about SNI in section 6 that > recommends SNI with service domains is not really supported by SNI. > > Cheers, > /O
The assumption is that one will share a port if the protocol permits it (e.g. HTTPS, SMTP) so there are scaling issues. 50000 names in a cert does not scale. Using the server name is the only real solution. For protocols where you can't share a port you could use either but to make it consistent you use the server's name. SHALL helps here if you are transitioning from CNAME to SRV as you can point both to the same instance. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
