Thanks for the comments. While digesting them, I have one comment: > On 6 mar 2015, at 07:14, John C Klensin <john-ietf@xxxxxxx> wrote: > > Generally, while I think you should warn that URI records may > cause some risks that do not exist with, e.g., conventional name > to address mappings (note that the "downgrade attack or not" > considerations above would apply equally well to: > > foo.example.com. IN A 10.2.0.44 > being diverted into a response of > foo.example.com. IN A 10.0.0.6 > > (which would be, historically, a likely upgrade attack, but it > has nothing to do with URI records but is equally preventable by > an integrity check.)) > > As long as there is a warning, I really don't care very much > what you say, but whatever you do say should be as accurate as > possible. I also see tons of zeroconf stuff (Apple Bonjour) using DNS already today in the geographically local context without much DNSSEC. Patrik
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail