ietf
[Top] [All Lists]

Re: Summary of the LLMNR Last Call

2005-09-29 19:19:35

On Sep 20, 2005, at 10:55, Bernard Aboba wrote:

DNSsec is very important for other reasons, such as the current
pharming attacks.  The risks have been known in the security community
since at least 1991, and publicly since at least 1995.  The long-
predicted attacks are now happening.  We really need to get DNSsec
deployed, independent of mDNS or LLMNR.  Given that there is now some
forward progress on DNSsec, it's not at all unreasonable for either or
both of those specs to rely on it to solve some of their particular
security risks.

Couldn't agree more.  But if I'm not mistaken, the current DNSSEC
specifications do not mandate that DNS stub resolvers be DNSSEC-aware
validating, which is what would be required for use in a peer-to-peer name
resolution protocol.  There is also the DNSEXT WG edict that mDNS/LLMNR
not share a cache with DNS, which makes it difficult for mDNS/LLMNR to
utilize trust anchors or acquired keys present in the DNS cache.

not to distract too much from the LC issues.... but there is an ongoing effort to define ways to have a standard API for validation by applications. Part of that work is understand what the term "cache" means in this context. And does validation have to work in lockstep w/ resolution? Regardless, a common API is highly valuable. there have been a couple of meetings on these issues already
and we would be glad to have more inputs.

--bill


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>