[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-dnsext-ad-is-secure

To: Erik Nordmark <Erik.Nordmark@sun.com>
Subject: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Wed, 09 Jul 2003 21:22:37 -0400
Cc: Russ Housley <housley@vigilsec.com>, iesg@ietf.org, iesg-secretary@ietf.org, jis@mit.edu

In message <Roam.SIMC.2.0.6.1057786493.15936.nordmark@bebop.france>, Erik Nordm
ark writes:
>
>>    I fear  that implementors will trust the AD bit as meaning "secure" and 
>> then not bother to protect the transport, which admits the possibility of 
>> spoofing attacks.  Therefore I propose an alternative paragraph for the RFC 
>> Editor note:
>> 
>>      In the latter two cases, the end consumer must also completely
>>      trust the network path to the trusted resolvers or a secure
>>      transport is employed to protect the traffic.
>
>It was smb that suggested 
>	In the latter two cases, the end consumer must also trust the
>	path to the trusted resolvers.
>so as long as he is ok with the above text ...

Either is fine with me.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Follow-Ups:
- Re: Evaluation: draft-ietf-dnsext-ad-is-secure
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

Prev by Date: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
Next by Date: Re: Evaluation: draft-ietf-sip-sctp - The Stream Control Transmission Protocol as a Transport for for the Session Initiation Protocol
Previous by thread: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
Next by thread: Re: Evaluation: draft-ietf-dnsext-ad-is-secure
Index(es):
- Date
- Thread