On Fri, Feb 27, 2015 at 10:24 AM, Pete Resnick
<presnick(_at_)qti(_dot_)qualcomm(_dot_)com> wrote:
On 2/25/15 9:18 PM, Sam Hartman wrote:
[...]
After speaking with Patrik, I think you have convinced us: The correct thing
to do at this point is to take out all of the information beyond a simple
description of the RR, beef up the security considerations to describe the
security issue, and make that document Informational.
I would much prefer a Standards-Track document that says to
authenticate the origin domainname as follows:
- use DNSSEC for all DNS queries needed to find the URI RRs and DANE
to authenticate the authorities of the resulting URIs
or
- expect the target authorities to have certificates that
authenticate the origin, using SNI if need be.
I would still drop everything related to NAPTR and DDDS.
Nico
--