Re: on DNS records

On 11/14/12 7:59 PM, Martin Thomson wrote:
> Just on this, it seems reasonable that the only necessary axis here is
> version.

Thank you for answering the question.
>   Having multiple records of the same type at the same node is
> already possible for SRV for load balancing and failover reasons; this
> would add one more reason: versioning.  Two axes is already a lot, a
> third is bad enough.

That's a fair point.  Question: how would you handle SRV with


>> Use of SRV of any form with regard to TLS would require a substantial change
>> in how we clients validate hostnames.  I tell you from personal experience
>> that having a new SAN "Other" type is not an easy thing to ask of CAs.
> I don't see how you would conclude that.  If you are seeking
> '', then that is what you should look for in the
> certificate.  It doesn't matter what you had to query the DNS for to
> get an IP and port to get there.
> This happens all the time already with CNAME records - the browser
> still uses the *input* name to validate the certificate, not some
> intermediate gunk.

I'm saying that TLS processing of hosts with SRV records works
*sometimes* using other protocols, but at least in this circumstance in
thinking about it there is no need for SAN Others.


Received on Wednesday, 14 November 2012 19:09:49 UTC