On Wed, Apr 01, 2015 at 12:53:57PM -0400, Paul Wouters wrote: > On Wed, 1 Apr 2015, Nico Williams wrote: > >DNS servers exist which serve dynamically-generated data, and DNS > >servers exist which serve signed (on the fly) dynamically-generated > >RRsets with non-existence proofs. IIUC PowerDNS is one example. > > And requiring the private DNS key is available on all name servers > for online signing really adds a huge amount of risk to the server > in case of compromise - an attacker could make up OPENPGPKEY records.
Any dynamic lookup will have this problem. The pointer-to-server approach has the same problem, only at an HTTPS server instead of at a DNS server. The scope of compromise can be limited in both cases (since the online keys in the DNS case could be for just the SMIME/OPENPGP sub-zones). John L.'s regexp DFA concept doesn't have any such problems, but I think it'd be rather slow for MUAs... Any mail domain that chooses simply not to implement any dynamic mailbox name canonicalization can fob off all normalization problems onto users. Nico -- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
