[not wearing chair hat] Paul Wouters writes: > It seems the software still needs work, so probably those vendors can > adapt based on our requirements. So I think we can pick the option we > prefer the most. In my opinion, that would be the DS record, because it > is not as bulkt as DNSKEY records.
I think DS records are fine. They are smaller, which is always benefit, and if software needs to be changed anyways, then I assume it is no matter which we pick... > A second discusion item that came up was the danger of using strings for > this option, where people could possibly put evil items in the string, > such as "IN DS `cat /etc/passwd`". If the DNS wire format is used, > this attack would be prevented. My issue with that is that I would still > need to convert the wire format to presentation format to present it to > the on-the-fly reconfiguration tools of the DNS server. So I don't see > much value in this additional conversion from a security point of view. I think we do need to add some kind of warning for implementors in the security considerations section saying do not just put that string and give it to the resolver, verify that it is in correct format before giving it out. I mean the textual representation have all kind of other things you can do so you really want to make sure there is nothing extra in the value. Perhaps even include regex to match that value does not have anything extra or dangerous... We also do not want to allow server to feed in any other ds records than what it is supposed to serve, and we do not want allow it to feed in any other records like "www.facebook.com. IN CNAME evil.com". -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
