On Jul 10, 2018, at 17:41, Ted Lemon <[email protected]> wrote: On Tue, Jul 10, 2018 at 12:34 PM, Joe Abley <[email protected]> wrote:
> > But this is really equivalent in just about every important way to > sending the normal <img src="https://example.com/img/f.jpg";> along with a > pushed DNS record that indicates that "example.com" resolves to > "192.0.2.1" -- and this latter thing is (to my understanding, at least) in > scope of the conversation that Patrick is proposing to have. > > My question is why you would involve the DNS at all if all the > performance-based resolution decisions can be made without it. You're > just adding cost and complexity without benefit The ip= modifier would be a great way to arrange for something to look like it came from a different source than its actual source. I'm sure there's an attack surface in there somewhere. I'm haven't thought hard enough to say what vulnerability that would enable that wasn't already there using unsigned zones (because enterprise DNS tricks or some other reason) but you're probably right. Joe
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
![https://example.com/img/f.jpg"](https://example.com/img/f.jpg"){kind=link}