On Oct 21, 2011, at 11:19 AM, Ted Lemon wrote: > On Oct 21, 2011, at 11:13 AM, Keith Moore wrote: >> IMO: search lists are useful, but only with "bare names" - and the behavior >> of those should be implementation dependent. Trying to nail it down will >> break too much widespread practice. > > On a desktop workstation they are useful, because you can largely trust the > security of the physical network. On mobile nodes, though, they are > harmful, because they open up a really easy avenue for exploit.
True. But unsecured DNS is easily exploited regardless of whether bare names are used. (and I've never bought the idea that DNSSEC verification can reasonably be done by an external host) (When I think about things, I generally assume that nearly all nodes are mobile, because that's clearly the way things are going. I expect that desktop workstations - in the sense of hosts that serve individual users and have fixed locations in the network - will be almost nonexistent in a very short time. They don't need to be special-cased.) > On MIF nodes, they also open up potential for mistakes. So if we are to > meet the spirit of your request here, it will still require a document > describing what the mistakes are, and providing advice on how to avoid them. Understood. I just think it's going to be tricky to do that without breaking a lot of existing behavior. But in principle, there's nothing wrong with describing security vulnerabilities and workarounds for those. Keith
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
