[145087] in North American Network Operators' Group
Re: Nxdomain redirect revenue
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Sep 27 10:51:51 2011
In-Reply-To: <33830.1317133175@turing-police.cc.vt.edu>
Date: Tue, 27 Sep 2011 10:49:56 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Valdis.Kletnieks@vt.edu
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Sep 27, 2011 at 10:19 AM, <Valdis.Kletnieks@vt.edu> wrote:
> On Tue, 27 Sep 2011 09:27:00 EDT, Christopher Morrow said:
>> On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess <mysidia@gmail.com> wrote:
>
>> > I would rather see DNSSEC and TLS/HTTPS get implemented end to end.
>>
>> how does tls/https help here? if you get sent to the 'wrong host'
>> whether or not it does https/tls is irrelevant, no? (save the case of
>> chrome and domain pinning)
>
> Well, actually, Chrome-like domain pinning and/or using DNSSEC to verify the
> provenance of an SSL cert is the whiole reason Jimmy probably wants DNSSEC and
> TLS...Unless you do that sort of stuff, there's no way to *tell* if you ended
> up at the wrong host...
to paraphrase mo: "this will not scale" (you can't possibly pin
everyone that matters (to all users) inside the binary) It's a cute
intermediate trick until the CA problem is resolved/executed and
DNSSEC arrives in full (on the service AND client side).
-chris
