If DNSSEC were deployed, I see no reason why SAs could not be
bound to domain names.
I disagree. IPSEC is about Security at the IP layer, and that means we
need a security association which is tied to an object which is
addressable at the IP layer --- an IP address.
except that, 99% of the time, the address is obtained from DNS, and,
realistically, you care more about the authenticated identity of the
peer than its address..
A DNS name doesn't qualify; a single DNS name can resolve to many
different IP addresses, potentially representing multiple different
hosts. Some people do this for load-balancing purposes (to Randy Bushes
infinite digust, but this is the reality).
Also, riddle me this: What host is addressed by the DNS name
a456.g.akamai.net? For me at home, it happens to be 207.87.18.169.
Except when I'm logged into MIT, when it's *either* 18.7.0.12 *or*
18.7.0.10. Betcha it's different for you. :-)
"any problem in CS can be solved by adding another level of
indirection". If we were to use the DNS name as the identity at each
end of the SA, a456.g.akamai.net could turn into a CNAME pointing at
the "real" server...
And it might not matter ... from the point of view of the *services*
provided, regardless of *which* instance of a456.g.akamai.net you
connect to, you get the same data... it's just another face of the
greater akamai distributed hive mind. [I assume that for
operational/management purposes, akamai has per-replica names which
are different from the ones given out in akamaized url's].
- Bill