On Wed, 25 Mar 2015, Nico Williams wrote:
On Wed, Mar 25, 2015 at 04:32:03PM +0100, Pieter Lexis wrote:
Disadvantages:
- MTAs will need to talk HTTPS
- It's not DANE (more like 'DNS-Assisted')
- It kind-of defeats the purpose of this WG
- No NSEC3-like protection from address leakage (see sections 9.2 and
9.3 of RFC7033)
No, if you discover the lookup service using DNSSEC and the service's
public keys with DANE, then the lookup service is as an extension of the
DNS, and it can provide secure non-existence answers.
If the lookup service is on port X, and the attacker blocks port X, you
do not know whether there is a service interruption or an active attack.
Any lookup mechanism must remain within the DNS.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
