> If DNSSEC were deployed, I see no reason why SAs could not be
> bound to domain names.
>
> I disagree. IPSEC is about Security at the IP layer, and that means we
> need a security association which is tied to an object which is
> addressable at the IP layer --- an IP address.
except that, 99% of the time, the address is obtained from DNS, and,
realistically, you care more about the authenticated identity of the
peer than its address..
> A DNS name doesn't qualify; a single DNS name can resolve to many
> different IP addresses, potentially representing multiple different
> hosts. Some people do this for load-balancing purposes (to Randy Bushes
> infinite digust, but this is the reality).
>
> Also, riddle me this: What host is addressed by the DNS name
> a456.g.akamai.net? For me at home, it happens to be 207.87.18.169.
> Except when I'm logged into MIT, when it's *either* 18.7.0.12 *or*
> 18.7.0.10. Betcha it's different for you. :-)
"any problem in CS can be solved by adding another level of
indirection". If we were to use the DNS name as the identity at each
end of the SA, a456.g.akamai.net could turn into a CNAME pointing at
the "real" server...
And it might not matter ... from the point of view of the *services*
provided, regardless of *which* instance of a456.g.akamai.net you
connect to, you get the same data... it's just another face of the
greater akamai distributed hive mind. [I assume that for
operational/management purposes, akamai has per-replica names which
are different from the ones given out in akamaized url's].
- Bill
