John Levine wrote:
I believe that it works to the extent that it covers immediate subdomains
of the domain for which you're publishing an SSP/ASP record.
The question is whether that small amount of coverage is worth the
pushback we will certainly get from the IAB when they see the tree
crawling in our draft. If bad guys know that foo.cisco.com is covered,
why won't they just use foo.bar.cisco.com instead?
Put forward as an efficiency hack, to avoid having to make a number of
one-level-down DNS records, the mechanism has no claim towards affecting
security. Taken on its own, therefore, the question is whether the mechanism
as
a) worth the effort on a normal implementation cost vs. operational benefit
basis, and b) worth the effort to run contrary to established DNS practice and,
now, IAB preferences.
Put forward as having any security characteristics, such as enforcing the ASP
security model, this DNS hack is likely to have quite a bit of pushback, as you
note.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html