nanog mailing list archives
Re: Nxdomain redirect revenue
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 27 Sep 2011 10:49:56 -0400
On Tue, Sep 27, 2011 at 10:19 AM, <Valdis.Kletnieks () vt edu> wrote:
On Tue, 27 Sep 2011 09:27:00 EDT, Christopher Morrow said:On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess <mysidia () gmail com> wrote:I would rather see DNSSEC and TLS/HTTPS get implemented end to end.how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning)Well, actually, Chrome-like domain pinning and/or using DNSSEC to verify the provenance of an SSL cert is the whiole reason Jimmy probably wants DNSSEC and TLS...Unless you do that sort of stuff, there's no way to *tell* if you ended up at the wrong host...
to paraphrase mo: "this will not scale" (you can't possibly pin everyone that matters (to all users) inside the binary) It's a cute intermediate trick until the CA problem is resolved/executed and DNSSEC arrives in full (on the service AND client side). -chris
Current thread:
- Re: Nxdomain redirect revenue, (continued)
- Re: Nxdomain redirect revenue Florian Weimer (Sep 26)
- Re: Nxdomain redirect revenue Cameron Byrne (Sep 26)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 26)
- Re: Nxdomain redirect revenue Valdis . Kletnieks (Sep 26)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 26)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 26)
- Re: Nxdomain redirect revenue Cameron Byrne (Sep 26)
- Re: Nxdomain redirect revenue Florian Weimer (Sep 26)
- Re: Nxdomain redirect revenue Jimmy Hess (Sep 27)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 27)
- Re: Nxdomain redirect revenue Valdis . Kletnieks (Sep 27)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 27)