Forgot to CC the list on my reply to John. (Sorry for the duplicate, John.)
There are some problems that can only be solved by adding a level of indirection. However, in the reverse direction (removing a level of indirection), this can be done trivially: DNAME. I.e. for those places where putting both RRtypes at the same owner name is desired, it is enough to add one DNAME record that points to the other place in the DNS tree. (It doesn't matter much which one is "primary", other than maybe some performance). DNAME-aware things will use the DNAME. DNAME-unaware things will expect, receive, and use, synthesized CNAMEs. This scales a lot better (DNAME vs manually- or script- maintained CNAMEs). Having DNAME then allows the case-munging CNAME-per-mailbox to also scale. So, I do not support unifying the _labels to a single _label. Brian On Fri, Mar 13, 2015 at 11:23 AM, John Levine <[email protected]> wrote: > I see that in dane-openpgpkey, the name on the record is > > <hash>._openpgpkey.domain > > and in dane-smime, the name is: > > <hash>._smimecert.domain > > These are two different names for the same mailbox. Since they use > the same hash, wouldn't it be a better idea for both of them and any > future RRs that use hashed mailboxes to use the same name? > > <hash>._mailbox.domain > > There's no confusion between the two, since they're different RR > types. The tree walking attacks are no different, since the attacker > knows the small set of _token names that might be in use either way. > > I expect we will end up with conventional kludges to deal with the > reality that systems treat mailbox names as case independent, e.g., > publish the hash of the name as normally capitalized, but also publish > a CNAME at the hash of the name with everything in lower case. (This > doesn't work very well for non-ASCII names. It's a kludge, but like > all kludges, it'll work better in practice than in theory.) With one > name, we only need to do one kludge per mailbox, rather than the > product of the number of mailboxes and the number of RR types. > > R's, > John > > PS: The payment record draft that showed up a few days ago uses _pmta, > but again, same mailbox, should be at the same name. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane >
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
