[Free-RTC] kamaillio script for federated communications

Olle E. Johansson oej at edvina.net
Fri Jun 21 17:41:17 CEST 2013


21 jun 2013 kl. 15:05 skrev Daniel Pocock <daniel at pocock.com.au>:

>> * The config uses DNS to establish the transport available on the
>> remote proxy. It doesn't use DNSSEC to do this.
> 
> I'm not sure if DNSSEC matters if the TLS certificate is valid - some
> people may prefer to trust the TLS cert and not place any trust in the
> DNSSEC trust model

THat's quite a misguided statement. If DNS points to an incorrect destination that succeeds
in providing a certificate that you accept - how can that be a good solution?

DNSsec verification tells you that you have a authorized binding between the hostname
and the IP. 

TLS will tell you that you have a binding between the URI you're looking for and
the server.

That's two different things.

DANE - TLS verification using DNSsec - is an alternative to the current rather insecure
way of handling CA certificates. But that's another story. I think you're mixing DANE
with DNSsec in your statement, Daniel.

/O
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fsfe.org/pipermail/free-rtc/attachments/20130621/642e8f01/attachment.html>


More information about the Free-RTC mailing list