https://lwn.net/Articles/217289/ This is a special feed containing comments posted to the individual LWN article titled "Handicapping New DNS Extensions and Applications (O'ReillyNet)". en-us Fri, 26 Sep 2025 06:07:57 +0000 Fri, 26 Sep 2025 06:07:57 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/218868/ https://lwn.net/Articles/218868/ ldo <P><BLOCKQUOTE>SPF is broken by design and won't get fixed. Those looking for spam filters are better off looking elsewhere.</BLOCKQUOTE> <P>Why do you say that? The article seems to assert quite the opposite: <P><BLOCKQUOTE>We suggested in the webinar that there was no reason not to implement SPF: it's easy to set up, and there are no disadvantages to publishing a list of mail servers that are allowed to send email from your domain names.</BLOCKQUOTE> Wed, 24 Jan 2007 01:43:10 +0000 https://lwn.net/Articles/218471/ https://lwn.net/Articles/218471/ job SPF is broken by design and won't get fixed. Those looking for spam filters are better off looking elsewhere.<br> Sun, 21 Jan 2007 15:57:22 +0000 https://lwn.net/Articles/217427/ https://lwn.net/Articles/217427/ micha Peter wrote: "And last and most importantly, when we have a trusted CERT record and it matches we can just accept the certificate, even if it is signed by a CA we do not recognize or even if it is just self signed."<br> <p> But what would be the downsides? Wouldn't it make easier for phishers to fool the innocent users by providing a fully accepted SSL certificate by simply a CERT record? You would require the users to trust the DNS even more, but spammers and phishers currently have no problem to register domains on the fly and will have no problem to manage their DNS.<br> <p> I don't know whether DNS can bear this burden of trust.<br> <p> Micha<br> Sat, 13 Jan 2007 17:50:15 +0000 https://lwn.net/Articles/217426/ https://lwn.net/Articles/217426/ weasel What I would really like to see is SSL (x509) certificates or better just their fingerprint in DNS, and browsers (and other programs like your jabber client, MUA, etc.) making use of it.<br> <p> Maybe something like<br> _443._tcp.example.org. CERT &lt;magicbytes that say what this is&gt; 17:37:8B:EE:E4:FF:96:D9:0A:B4:5B:57:56:08:D6:8E<br> (One could also imagine using the service name instead of the port number, but I guess the port is the smarter choice).<br> <p> <p> In the absense of such a CERT record clients would behave the same as now, that is do their CA verification dance and all.<br> <p> If a CERT record is found but the fingerprint does not match the certificate a warning should be issued.<br> <p> If a CERT record is found and we do not have a trusted (DNSSEC signed) answer then we still do the CA thing, but whether that fails or not we can still inform the user of what we found. <br> <p> And last and most importantly, when we have a trusted CERT record and it matches we can just accept the certificate, even if it is signed by a CA we do not recognize or even if it is just self signed.<br> <p> -- <br> Peter<br> Sat, 13 Jan 2007 17:26:45 +0000