Re: Security requirements for identification

[Erik Nordmark <Erik.Nordmark@sun.com>]

> I'm trying to follow this thread, which seems very interesting, but I'm 
> surprised with this statement. IMO when you make a DNS query
> you want to get the identifier of the end-point, to be able to start
> the communication. Although it's true that the name usually
> gives hints about the service, this isn't always true. If you
> need "www.google.com", you already know that the service will
> be "HTTP". You don't ask the DNS for the service, what you really
> need to know is the address of "google" to start the HTTP transfer.

Perhaps the "service" vs. "hostname" is confusing. It isn't about the upper
layer protocols in any case.

The issue is that today when you ask for A (or AAAA) records for a given fqdn
you might get back multiple answers, but it isn't clear whether the multiple
answers are
 - multiple IP address for the same host/endpoints (i.e. the entity which
holds 
   the TCP and application state),
 - multiple IP addresses for the service but implemented by different endpoints
 - some combination (6 IP addresses for 3 hosts which each have 2 IP addresses)
 This distinction is important for multi6, since you don't want to try to
failover your TCP/application communication to an endpoint which doesn't have
the  TCP/application state.

Is that more clear?

  Erik