[Standards] RFC 3920, 10.2/10.3: subdomain routing rules
b+jabber at bruce-2007.zerlargal.org
Wed Mar 28 14:40:10 UTC 2007
On Wed, 28 Mar 2007, Ralph Meijer wrote:
> On Wed, 2007-03-28 at 09:42 +0000, Dave Cridland wrote:
>> On Tue Mar 27 20:53:33 2007, Peter Saint-Andre wrote:
>>> Bruce Campbell wrote:
>>>> 9.1.2 From
>>>> Furthermore, the domain identifier portion of the JID
>>>> contained in
>>>> the 'from' attribute MUST match the hostname of the sending
>>>> (or any validated domain thereof, such as a validated domain
>>>> hosted by the sending server) as communicated in the SASL
>>>> negotiation, dialback negotiation or other means;
>>> What might those other means be?
>> I think Bruce's (sensible) intention is to leave the door open for
>> other methods as yet unspecified. DNS-SEC might be one such option, I
>> suppose, although I'm not entirely sure. Text as-is looks good to me.
Actually, I wasn't sure how to properly describe the addition of an
additional (validated) domain via C.4-style piggybacking, as it isn't
quite SASL or dialback negotiation. Intent is certainly to avoid
a future restriction on how (local or remote) domains become 'validated'
to the local server/router.
Could even be pared down to:
Furthermore, the domain identifier portion of the JID contained in
the 'from' attribute MUST match one of the valid domains of the
sending server as previously communicated.
> Actually I think that using DNS-SEC as a source for authentication would
> be in combination with SASL EXTERNAL, just like how we now use TLS
> certs. I'm not sure if you need to explicitly mention alternates.
DNSSEC ensures that the answer you got is correct. TLS ensures that the
connection you made is to the correct host (and does feel-good stuff like
encrypting the connection).
More information about the Standards