[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Matthias Wimmer m at tthias.eu
Wed Mar 28 20:50:55 UTC 2007


Ralph Meijer schrieb:
> Actually I think that using DNS-SEC as a source for authentication would
> be in combination with SASL EXTERNAL, just like how we now use TLS
> certs. I'm not sure if you need to explicitly mention alternates.

Could somebody please give me a clue how DNSsec would be used for
authentication? Due to my knowledge DNSsec can only be used to make
sure, that DNS responses are not spoofed. So you get a trustable IP
address from your DNS resolver. But this leaves the door open for any
attack, that does not require spoofing the IP address.

What could be used is IPsec, which is able to authenticate the peer host
of a TCP/IP connection. But indeed this would propably be used by doing
SASL EXTERNAL after the authentication has been done with IPsec.


Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the Standards mailing list