This is a discussion on Re: conjoining dns-forgery-resilience with dns-0x20; also, rtt banding - DNS ; Date: Wed, 12 Mar 2008 21:29:03 +0000 From: Paul Vixie Message-ID: | there's no way to make this go away, ever, except with a new label type, | whose definition will/would presumably be made to preclude this kind of | ...
Date: Wed, 12 Mar 2008 21:29:03 +0000
From: Paul Vixie
| there's no way to make this go away, ever, except with a new label type,
| whose definition will/would presumably be made to preclude this kind of
Not true, there's nothing in the DNS currently (before your draft) which is
depending upon this "feature" - sure, implementations have to handle it,
but nothing is relying upon its existance (not in the DNS itself).
Thus, it can be changed. It would take a very long time, and a process
of smaller steps, but it could be done.
It cannot be if we start to actually rely upon it however, so that's
what I'd suggest should not be done.
| of course. likewise hp.com is less secure than dec.com and so on.
| bad idea, bad design. except that it's better than nothing.
I actually disagree. I think it is worse than nothing, as it
points the attacks at the worst possible place - that is, it motivates
attacking the place where most damage would be caused.
| since we seem to agree that copying the question is what everybody does and
| what everybody should keep doing and what should be clarified in the spec,
| then you appear to be arguing that responses ought not use this copied
| question as a compression pointer target.
No. Though I wouldn't object to one that didn't.
| we can't. i'm already marvelling, i'm already laughing
| but i'm not avoiding, and my lack of avoidance is completely within
| the spec.
The place to start on eliminating (ascii only) case independance would
be to issue a spec that requires resolvers to always look up the exact name
passed (no case conversions, ever.)
Aside from your hack, that's what resolvers (that I know of) do now anyway,
so perhaps we should start with that, today.
Then you'd no longer be within spec...
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.