On Wed, Jul 13, 2016 at 3:42 PM, John R Levine <jo...@taugh.com> wrote:
> why all that complexity? if some remote device (iot thingy) wants 'dns over >> http' why would it not (as a first order answer) just ask >> /cgi-bin/dnslookup for 'srv:foo.com' ? (returned answer in txt, json, >> etc...) >> >> why bother with a bunch of javascript tomfoolery? >> > > Security in IoT is close to an oxymoron, but my device would like to check > the signature before trusting what your proxy says. > > ok, I'm sure your device has some agreement with the cooperating http(s) server though, right? it can get the text / bas64 rrsig content just as easily as if it were doing udp/dns. (it should probably also check ssl certificates/etc to make sure traffic did not get wonked in flight)
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
