Re: [DNSOP] Extended CNAME (ENAME)

2014-05-20 Thread Ben Laurie
On 20 May 2014 04:54, Paul Vixie wrote: > > > Ted Lemon wrote: > > On May 19, 2014, at 6:12 PM, David C Lawrence wrote: > > Not so much pushing required, at least of Akamai. You have a > ready-made [SRV] ally in me, if only clients actually made good use of it. > The clients are the real obstacl

Re: [DNSOP] Current DNSOP thread and why 1024 bits

2014-04-03 Thread Ben Laurie
On 3 April 2014 04:18, David Conrad wrote: > Paul, > > On Apr 3, 2014, at 12:38 AM, Paul Wouters wrote: Saving space and time does matter. Roughly half the operators I studied would include a backup key on-line because "they could" with the shorted length. And performance does

Re: [DNSOP] [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

2010-10-02 Thread Ben Laurie
On 1 October 2010 16:15, Phillip Hallam-Baker wrote: > > > On Fri, Oct 1, 2010 at 6:05 PM, Matt McCutchen > wrote: >> >> On Fri, 2010-10-01 at 11:29 -0400, Phillip Hallam-Baker wrote: >> > In particular I am very concerned about the particular approach being >> > taken to security policy. What th

Re: [DNSOP] [TLS] Cert Enumeration and Key Assurance With DNSSEC

2010-10-01 Thread Ben Laurie
On 1 October 2010 08:29, Phillip Hallam-Baker wrote: > The reason that I started with the requirement to use SSL is that security > policy relating to trust criteria is meaningless until you have a statement > that use of SSL is required. I can't agree with this. If a user types an https URL, say

Re: [DNSOP] Kaminsky on djbdns bugs (fwd)

2008-08-10 Thread Ben Laurie
Tony Finch wrote: On Sun, 10 Aug 2008, Ben Laurie wrote: Tony Finch wrote: On Sun, 10 Aug 2008, Ted Lemon wrote: Paul's comment (the first of the three articles you quoted) implies that secure NXDOMAIN is not a feature of Ohta-san's proposal. That seems like a bit of a problem, be

Re: [DNSOP] Kaminsky on djbdns bugs (fwd)

2008-08-10 Thread Ben Laurie
Tony Finch wrote: On Sun, 10 Aug 2008, Ted Lemon wrote: Paul's comment (the first of the three articles you quoted) implies that secure NXDOMAIN is not a feature of Ohta-san's proposal. That seems like a bit of a problem, because fake domains are definitely a useful phishing tool. As far as

Re: [DNSOP] A6 queries

2007-03-27 Thread Ben Laurie
Roy Arends wrote: > During the last meeting, Kurtis Lindquist asked an interesting question. > He asked if anyone had a good explanation for the amount of requests for > the now experimental type A6 Resource Record. This exact question was > asked by David Malone during the OARC meeting (july 2005)

Re: [DNSOP] what's the right thing to do upon receiving something like this?

2007-02-19 Thread Ben Laurie
Edward Lewis wrote: > At 10:55 + 2/19/07, Tony Finch wrote: >> On Mon, 19 Feb 2007, Edward Lewis wrote: >>> >>> 3) I don't buy this as a security risk. I don't think there is a >>> problem >>> here. >> >> It allows you to use a DNS server to tunnel past a firewall. It allows >> you >> to use