At 22:54 18/12/00, Donald E. Eastlake 3rd wrote:
If DNSSEC were deployed, I see no reason why SAs
could not be bound to domain names.
The semantics of an FQDN is not crisp and clear
these days as is once was.
For example, www.cnn.com names a set of content
(served by an array of different server hosts with a
front-end web widget), rather than naming a single given host.
Unicast ESP/AH SAs have to be between pairs of hosts.
So FQDNs can't quite do the trick, even with DNSSEC, in
the general case. In certain special cases, where an FQDN
does happen to map 1:1 to a host, then it might be used
iff there were a way to distinguish that case from the murky
case.
(NB: my analysis above assumes that DNSSEC is widely deployed
and ubiquitously available; in the current reality of very limited
DNSSEC deployment, things aren't quite as nice as what
I outline above).
Cheers,
Ran
rja(_at_)inet(_dot_)org