Thanks for the comments. While digesting them, I have one comment:
On 6 mar 2015, at 07:14, John C Klensin <john-ietf(_at_)jck(_dot_)com> wrote:
Generally, while I think you should warn that URI records may
cause some risks that do not exist with, e.g., conventional name
to address mappings (note that the "downgrade attack or not"
considerations above would apply equally well to:
foo.example.com. IN A 10.2.0.44
being diverted into a response of
foo.example.com. IN A 10.0.0.6
(which would be, historically, a likely upgrade attack, but it
has nothing to do with URI records but is equally preventable by
an integrity check.))
As long as there is a warning, I really don't care very much
what you say, but whatever you do say should be as accurate as
possible.
I also see tons of zeroconf stuff (Apple Bonjour) using DNS already today in
the geographically local context without much DNSSEC.
Patrik
signature.asc
Description: Message signed with OpenPGP using GPGMail