Date: Wed, 12 Mar 2008 21:29:03 +0000
From: Paul Vixie
Message-ID: <29775.1205357343@sa.vix.com>

| there's no way to make this go away, ever, except with a new label type,
| whose definition will/would presumably be made to preclude this kind of
| evilness.

Not true, there's nothing in the DNS currently (before your draft) which is
depending upon this "feature" - sure, implementations have to handle it,
but nothing is relying upon its existance (not in the DNS itself).

Thus, it can be changed. It would take a very long time, and a process
of smaller steps, but it could be done.

It cannot be if we start to actually rely upon it however, so that's
what I'd suggest should not be done.

| of course. likewise hp.com is less secure than dec.com and so on.
| bad idea, bad design. except that it's better than nothing.

I actually disagree. I think it is worse than nothing, as it
points the attacks at the worst possible place - that is, it motivates
attacking the place where most damage would be caused.

| since we seem to agree that copying the question is what everybody does and
| what everybody should keep doing and what should be clarified in the spec,
| then you appear to be arguing that responses ought not use this copied
| question as a compression pointer target.

No. Though I wouldn't object to one that didn't.

| we can't. i'm already marvelling, i'm already laughing
| but i'm not avoiding, and my lack of avoidance is completely within
| the spec.

The place to start on eliminating (ascii only) case independance would
be to issue a spec that requires resolvers to always look up the exact name
passed (no case conversions, ever.)

Aside from your hack, that's what resolvers (that I know of) do now anyway,
so perhaps we should start with that, today.

Then you'd no longer be within spec...

kre


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: