[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Ralph Meijer jabber.org at ralphm.ik.nu
Thu Mar 29 11:42:01 UTC 2007

On Wed, 2007-03-28 at 22:50 +0200, Matthias Wimmer wrote:
> Hi!
> Ralph Meijer schrieb:
> > Actually I think that using DNS-SEC as a source for authentication would
> > be in combination with SASL EXTERNAL, just like how we now use TLS
> > certs. I'm not sure if you need to explicitly mention alternates.
> Could somebody please give me a clue how DNSsec would be used for
> authentication? Due to my knowledge DNSsec can only be used to make
> sure, that DNS responses are not spoofed. So you get a trustable IP
> address from your DNS resolver. But this leaves the door open for any
> attack, that does not require spoofing the IP address.
> What could be used is IPsec, which is able to authenticate the peer host
> of a TCP/IP connection. But indeed this would propably be used by doing
> SASL EXTERNAL after the authentication has been done with IPsec.

I misread. Sorry about that.



More information about the Standards mailing list