Re: Summary of the LLMNR Last Call

To: Bernard Aboba <aboba at internaut.com>
Subject: Re: Summary of the LLMNR Last Call
From: Bill Manning <bmanning at karoshi.com>
Date: Mon, 26 Sep 2005 12:26:13 -0700
Cc: Margaret Wasserman <margaret at thingmagic.com>, ietf at ietf.org, "Steven M. Bellovin" <smb at cs.columbia.edu>
In-reply-to: <Pine.LNX.4.61.0509201051100.16781@internaut.com>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <20050920161934.B589F3BFCC6@berkshire.machshav.com> <Pine.LNX.4.61.0509201051100.16781@internaut.com>
Sender: ietf-bounces at ietf.org


On Sep 20, 2005, at 10:55, Bernard Aboba wrote:

DNSsec is very important for other reasons, such as the current
pharming attacks.  The risks have been known in the security community
since at least 1991, and publicly since at least 1995.  The long-
predicted attacks are now happening.  We really need to get DNSsec
deployed, independent of mDNS or LLMNR.  Given that there is now some
forward progress on DNSsec, it's not at all unreasonable for either or
both of those specs to rely on it to solve some of their particular
security risks.
Couldn't agree more. But if I'm not mistaken, the current DNSSEC specifications do not mandate that DNS stub resolvers be DNSSEC-aware validating, which is what would be required for use in a peer-to-peer name resolution protocol. There is also the DNSEXT WG edict that mDNS/LLMNR not share a cache with DNS, which makes it difficult for mDNS/LLMNR to utilize trust anchors or acquired keys present in the DNS cache.

not to distract too much from the LC issues.... but there is an ongoing effort to define ways to have a standard API for validation by applications. Part of that work is understand what the term "cache" means in this context. And does validation have to work in lockstep w/ resolution? Regardless, a common API is highly valuable. there have been a couple of meetings on these issues already and we would be glad to have more inputs.

--bill


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- Re: Summary of the LLMNR Last Call
  - From: Steven M. Bellovin
- Re: Summary of the LLMNR Last Call
  - From: Bernard Aboba

Prev by Date: Re: delegating (portions of) ietf list disciplinary process
Next by Date: Re: UN
Previous by thread: Re: Summary of the LLMNR Last Call
Next by thread: Re: Summary of the LLMNR Last Call
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Summary of the LLMNR Last Call

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.