From owner-ietf-ssh@clinet.fi  Mon Nov 15 20:41:52 1999
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by torni.ssh.fi (8.9.3/8.9.3/SSH-1.14) with ESMTP id UAA09672;
	Mon, 15 Nov 1999 20:41:52 +0200 (EET)
Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7])
	by ssh.fi (8.9.3/8.9.3/SSH-1.16) with ESMTP id UAA10154;
	Mon, 15 Nov 1999 20:41:52 +0200 (EET)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id UAA21084
	for ietf-ssh-outgoing; Mon, 15 Nov 1999 20:36:41 +0200
Received: from samantha.lysator.liu.se (root@samantha.lysator.liu.se [130.236.254.202])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id UAA21081
	for <ietf-ssh@clinet.fi>; Mon, 15 Nov 1999 20:36:40 +0200
Received: from sanna.lysator.liu.se (nisse@sanna.lysator.liu.se [130.236.254.206])
	by samantha.lysator.liu.se (8.9.3/8.9.3) with ESMTP id TAA16763
	for <ietf-ssh@clinet.fi>; Mon, 15 Nov 1999 19:36:39 +0100 (MET)
Received: (from nisse@localhost)
	by sanna.lysator.liu.se (8.8.8/8.8.7) id TAA06486;
	Mon, 15 Nov 1999 19:36:32 +0100 (MET)
To: ietf-ssh@clinet.fi
Subject: Using DNS names
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
From: nisse@lysator.liu.se (Niels Mller)
Date: 15 Nov 1999 19:36:32 +0100
Message-ID: <nn66z34n67.fsf@sanna.lysator.liu.se>
X-Mailer: Gnus v5.4.59/Emacs 19.34
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 3700
Lines: 82

Section 4.1 in draft-ietf-secsh-architecture-04.txt says

: 4.1.  Encoding of Network Addresses
: 
: Network addresses are encoded as strings. DNS names MUST NOT be used, as
: DNS is an insecure protocol.

: If an address contains a colon (':', ascii 58), it is interpreted as an
: IPv6 address. The encoding of IPv6 addresses is described in [RFC-1884].
: IPv4 addresses are expressed in the standard dot-separated decimal
: format (e.g. 127.0.0.1).

I find the motivation in the first paragraph a little strange.

1. Network addresses are used mostly (or even exclusively?) in the
   messages that set up tcpip tunnels. In this case, the traffic is
   likely not secure outside of the tunnel, so forbidding the use of
   DNS, for security reasons, seems a little pointless.

2. If the user provides a DNS name, it has to be resolved in some way
   or the other. The effect of the rule above is to mandate all name
   resolution to happen at the client side. Think

     ssh -L4711:some.other.host:80 ...

   I don't see how mandating name resolution to take place on a
   certain end of the tunnel increases the security.

3. In some cases, you may actually trust DNS. If I speak to my DNS
   server over a local trusted network, and ask for a name for which
   the server is primary, I can trust the answers. If I use DNSSEC, I
   may also trust some external DNS servers.

4. Allowing the server do the name lookup can actually be useful in
   some circumstances. Say that I work at a company with an internal
   network, and a two-faced DNS-server that provides names to the
   internal machines only for clients inside the firewall (or in the
   DMZ).

   Say I want to use ssh to connect to this site from outside, and
   create a tunnel to one of the internal machines. I login to some
   machine inside the demilitarized zone, and request tcpip
   forwarding. If I could send a DNS name in the ssh protocol, I could
   use a symbolic name for the target machine, which can *not* be
   resolved by my client which is outside the firewall. If the site
   uses dynamic temporary IP-addresses, it is also difficult for me to
   supply a numeric ip address for the target.

I would like to propose that the above paragraph is replaced with
something like this:

: Network addresses are encoded as strings.
: 
: If an address contains a colon (':', ascii 58), it is interpreted as
: an IPv6 address. The encoding of IPv6 addresses is described in
: [RFC-1884].
: 
: A name that starts with a decimal digit, and does not contain any
: colon, is interpreted as an IPv4 addresses expressed in the
: standard dot-separated decimal format (e.g. 127.0.0.1)
: 
: Any other name is interpreted as a symbolic hostname. A symbolic name
: that ends with a dot ('.', ascii 46) MUST be interpreted as a Fully
: Qualified Domain Name, to be resolved by the system (client or server)
: that receives the name. A symbolic name that does not end with a dot
: is resolved by any means customary on the receiving system (e.g.
: taking into consideration nis, wins, nsswitch.conf, search directives
: in /etc/resolv.conf, etc).
: 
: Support for resolving symbolic names is OPTIONAL. An implementation
: SHOULD NOT send any symbolic names in its default configuration; in
: this case, any symbolic names supplied by the user MUST be resolved
: locally before they are encoded into an SSH packet.

Or is there a better way to specify the details? I'd like to be able
to distinguish between ip4, ip6, fqdn:s, and system dependent names.

I also feel that the ip4-notation is under-specified. Is there any
definition of "standard dot-decimal notation", or should I read it as
"anything that inet_aton() accepts"?

/Niels
From owner-ietf-ssh@clinet.fi  Tue Nov 16 09:01:57 1999
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by torni.ssh.fi (8.9.3/8.9.3/SSH-1.14) with ESMTP id JAA10395;
	Tue, 16 Nov 1999 09:01:53 +0200 (EET)
Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7])
	by ssh.fi (8.9.3/8.9.3/SSH-1.16) with ESMTP id JAA16703;
	Tue, 16 Nov 1999 09:01:52 +0200 (EET)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id IAA28275
	for ietf-ssh-outgoing; Tue, 16 Nov 1999 08:55:33 +0200
Received: from yem.jsv.qwest.net (yem.jsv.qwest.net [208.44.135.48])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id IAA28267
	for <ietf-ssh@clinet.fi>; Tue, 16 Nov 1999 08:55:30 +0200
Received: from iconnet.net (localhost [127.0.0.1])
	by yem.jsv.qwest.net (8.9.3/8.9.3) with ESMTP id WAA21665;
	Mon, 15 Nov 1999 22:54:22 -0800 (PST)
Message-Id: <199911160654.WAA21665@yem.jsv.qwest.net>
X-Mailer: exmh version 2.1.0 04/14/1999
To: nisse@lysator.liu.se (Niels M ller)
Cc: ietf-ssh@clinet.fi
Subject: Re: Using DNS names 
In-reply-to: nisse's message of 15 Nov 1999 19:36:32 +0100.
             <nn66z34n67.fsf@sanna.lysator.liu.se> 
X-Priority: 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 15 Nov 1999 22:54:22 -0800
From: Frank Cusack <fcusack@iconnet.net>
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 1889
Lines: 50


>>>>> On 15 Nov 1999,
>>>>> "Niels" == Niels Mller wrote:

  Niels> Section 4.1 in draft-ietf-secsh-architecture-04.txt says

  Niels> : 4.1.  Encoding of Network Addresses
  Niels> :
  Niels> : Network addresses are encoded as strings. DNS names MUST NOT be used, as
  Niels> : DNS is an insecure protocol.

  Niels> : If an address contains a colon (':', ascii 58), it is interpreted as an
  Niels> : IPv6 address. The encoding of IPv6 addresses is described in [RFC-1884].
  Niels> : IPv4 addresses are expressed in the standard dot-separated decimal
  Niels> : format (e.g. 127.0.0.1).

  [...]

  Niels> I would like to propose that the above paragraph is replaced with
  Niels> something like this:

  Niels> : Network addresses are encoded as strings.
  Niels> :
  Niels> : If an address contains a colon (':', ascii 58), it is interpreted as
  Niels> : an IPv6 address. The encoding of IPv6 addresses is described in
  Niels> : [RFC-1884].
  Niels> :
  Niels> : A name that starts with a decimal digit, and does not contain any
  Niels> : colon, is interpreted as an IPv4 addresses expressed in the
  Niels> : standard dot-separated decimal format (e.g. 127.0.0.1)

Symbolic names (ie, hostnames or FQDN's) are now allowed (unfortunately, IMHO)
to start w/ a digit. [RFC 1123]. Also, the a.b.c.d notation is commonly
called dotted-decimal or dotted-quad notation.

  [...]

  Niels> I also feel that the ip4-notation is under-specified. Is there any
  Niels> definition of "standard dot-decimal notation", or should I read it as
  Niels> "anything that inet_aton() accepts"?

I don't know of a good reference for the formal definition, but it could
be expressed as "the text 'a.b.c.d' where {a,b,c,d} are decimal numbers,
in the range 0 <= n <= 255". It could be expressed much more cleanly in
BNF notation.

Anyway, other than the exception above, I agree with you. (FWIW)

~f

From owner-ietf-ssh@clinet.fi  Tue Nov 16 12:06:18 1999
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by torni.ssh.fi (8.9.3/8.9.3/SSH-1.14) with ESMTP id MAA18729;
	Tue, 16 Nov 1999 12:06:17 +0200 (EET)
Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7])
	by ssh.fi (8.9.3/8.9.3/SSH-1.16) with ESMTP id MAA21245;
	Tue, 16 Nov 1999 12:06:17 +0200 (EET)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id LAA00351
	for ietf-ssh-outgoing; Tue, 16 Nov 1999 11:56:13 +0200
Received: from samantha.lysator.liu.se (root@samantha.lysator.liu.se [130.236.254.202])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id LAA00343
	for <ietf-ssh@clinet.fi>; Tue, 16 Nov 1999 11:56:11 +0200
Received: from sanna.lysator.liu.se (nisse@sanna.lysator.liu.se [130.236.254.206])
	by samantha.lysator.liu.se (8.9.3/8.9.3) with ESMTP id KAA22259;
	Tue, 16 Nov 1999 10:56:10 +0100 (MET)
Received: (from nisse@localhost)
	by sanna.lysator.liu.se (8.8.8/8.8.7) id KAA21353;
	Tue, 16 Nov 1999 10:56:05 +0100 (MET)
To: Frank Cusack <fcusack@iconnet.net>
Cc: ietf-ssh@clinet.fi
Subject: Re: Using DNS names
References: <199911160654.WAA21665@yem.jsv.qwest.net>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
From: nisse@lysator.liu.se (Niels Mller)
Date: 16 Nov 1999 10:56:04 +0100
In-Reply-To: Frank Cusack's message of "Mon, 15 Nov 1999 22:54:22 -0800"
Message-ID: <nn3du64v63.fsf@sanna.lysator.liu.se>
X-Mailer: Gnus v5.4.59/Emacs 19.34
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 1718
Lines: 38

Frank Cusack <fcusack@iconnet.net> writes:

> Symbolic names (ie, hostnames or FQDN's) are now allowed (unfortunately, IMHO)
> to start w/ a digit. [RFC 1123]. Also, the a.b.c.d notation is commonly
> called dotted-decimal or dotted-quad notation.

Hmm. Perhaps we could adopt the convention from ip6 URL:s
(draft-ietf-ipngwg-url-literal-04.txt) and RFC822 "domain literals"
and enclose all numeric addresses (i.e. both ip4 and ip6) in square
brackets, '[' and ']'? 

>   Niels> I also feel that the ip4-notation is under-specified. Is there any
>   Niels> definition of "standard dot-decimal notation", or should I read it as
>   Niels> "anything that inet_aton() accepts"?
> 
> I don't know of a good reference for the formal definition, but it could
> be expressed as "the text 'a.b.c.d' where {a,b,c,d} are decimal numbers,
> in the range 0 <= n <= 255". It could be expressed much more cleanly in
> BNF notation.

I found that this is done in RFC 1738 (URL):

    host
        The fully qualified domain name of a network host, or its IP
        address as a set of four decimal digit groups separated by
        ".". Fully qualified domain names take the form as described
        in Section 3.5 of RFC 1034 [13] and Section 2.1 of RFC 1123
        [5]: a sequence of domain labels separated by ".", each domain
        label starting and ending with an alphanumerical character and
        possibly also containing "-" characters. The rightmost domain
        label will never start with a digit, though, which
        syntactically distinguishes all domain names from the IP
        addresses.

It also defines the syntax using BNF. (But as usual, browsers are
typically a lot more liberal than this).

/Niels
From owner-ietf-ssh@clinet.fi  Tue Nov 16 17:12:40 1999
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by torni.ssh.fi (8.9.3/8.9.3/SSH-1.14) with ESMTP id RAA14891;
	Tue, 16 Nov 1999 17:12:32 +0200 (EET)
Received: from mail.clinet.fi (lohi.clinet.fi [194.100.0.7])
	by ssh.fi (8.9.3/8.9.3/SSH-1.16) with ESMTP id RAA00850;
	Tue, 16 Nov 1999 17:12:31 +0200 (EET)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id RAA22099
	for ietf-ssh-outgoing; Tue, 16 Nov 1999 17:08:00 +0200
Received: from dragonfly.corp.home.net (dragonfly.corp.home.net [24.0.31.130])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id RAA22082
	for <ietf-ssh@clinet.fi>; Tue, 16 Nov 1999 17:07:49 +0200
Received: from dragonfly.corp.home.net (rja@localhost [127.0.0.1])
	by dragonfly.corp.home.net (8.9.3/8.9.3) with ESMTP id KAA07091
	for <ietf-ssh@clinet.fi>; Tue, 16 Nov 1999 10:07:41 -0500 (EST)
Message-Id: <199911161507.KAA07091@dragonfly.corp.home.net>
X-Mailer: exmh version 2.1.0 09/18/1999
To: ietf-ssh@clinet.fi
Subject: Re: Using DNS names 
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0
Date: Tue, 16 Nov 1999 10:07:40 -0500
From: Ran Atkinson <rja@corp.home.net>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by mail.clinet.fi id RAA22092
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 871
Lines: 26

% Section 4.1 in draft-ietf-secsh-architecture-04.txt says
% 
% : 4.1.  Encoding of Network Addresses
% : 
% : Network addresses are encoded as strings. DNS names MUST NOT be used, as
% : DNS is an insecure protocol.

The quoted text isn't quite accurate as stated.  In the modern day
the DNS Security Extensions are on the standards-track and have been
implemented.  They will get revised before proceeding on the standards
track, but that is normal for any protocol.

I would propose the following change to the I-D:

DELETE	"DNS names MUST NOT be used, as DNS is an insecure protocol."

INSERT  "Unauthenticated DNS names or other information MUST NOT be used.  
	DNS names and other DNS information authenticated via the mechanisms 
	specified in DNS Security [RFC-2535] MAY be used."

ADD	citation for RFC-2535 in REFERENCES section of I-D.

Ran
rja@corp.home.net


From owner-ietf-ssh@clinet.fi  Tue Nov 16 18:52:46 1999
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by torni.ssh.fi (8.9.3/8.9.3/SSH-1.14) with ESMTP id SAA17623;
	Tue, 16 Nov 1999 18:52:45 +0200 (EET)
Received: from mail.clinet.fi (lohi.clinet.fi [194.100.0.7])
	by ssh.fi (8.9.3/8.9.3/SSH-1.16) with ESMTP id SAA03425;
	Tue, 16 Nov 1999 18:52:45 +0200 (EET)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id SAA00370
	for ietf-ssh-outgoing; Tue, 16 Nov 1999 18:45:58 +0200
Received: from samantha.lysator.liu.se (root@samantha.lysator.liu.se [130.236.254.202])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id SAA00367
	for <ietf-ssh@clinet.fi>; Tue, 16 Nov 1999 18:45:57 +0200
Received: from sanna.lysator.liu.se (nisse@sanna.lysator.liu.se [130.236.254.206])
	by samantha.lysator.liu.se (8.9.3/8.9.3) with ESMTP id RAA10620;
	Tue, 16 Nov 1999 17:45:55 +0100 (MET)
Received: (from nisse@localhost)
	by sanna.lysator.liu.se (8.8.8/8.8.7) id RAA25340;
	Tue, 16 Nov 1999 17:45:50 +0100 (MET)
To: Ran Atkinson <rja@corp.home.net>
Cc: ietf-ssh@clinet.fi
Subject: Re: Using DNS names
References: <199911161507.KAA07091@dragonfly.corp.home.net>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
From: nisse@lysator.liu.se (Niels Mller)
Date: 16 Nov 1999 17:45:49 +0100
In-Reply-To: Ran Atkinson's message of "Tue, 16 Nov 1999 10:07:40 -0500"
Message-ID: <nnu2mm2xmq.fsf@sanna.lysator.liu.se>
X-Mailer: Gnus v5.4.59/Emacs 19.34
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 2013
Lines: 43

Ran Atkinson <rja@corp.home.net> writes:

> I would propose the following change to the I-D:
> 
> DELETE	"DNS names MUST NOT be used, as DNS is an insecure protocol."
> 
> INSERT  "Unauthenticated DNS names or other information MUST NOT be used.  
> 	DNS names and other DNS information authenticated via the mechanisms 
> 	specified in DNS Security [RFC-2535] MAY be used."
> 
> ADD	citation for RFC-2535 in REFERENCES section of I-D.

This proposal does not quite address the concerns I have. 

For a start, I don't see how security is improved by forbidding the
use of unauthenticated DNS, when we still use insecure DNS as well as
unsecured IP on one or both ends of the tcpip tunnel. In some cases
(say, you use SSH to create a tcpip tunnel which you use for an SSH
connection *with* proper host authentication, or if you create a
tunnel to some web server that you don't trust at all anyway),
authentication in the name resolution process is *not* important for
security. This was the point of my original message.

And it's difficult or impossible for an implementation to determine
whether or not a particular DNS name can be resolved in such a way
that the remote peer will trust it (note that this issue is a lot more
complicated than whether or not the remote peer or some of the
involved name servers support DNSSec). That means that it is really
really difficult for an implementation to decide whether or not it is
allowed to use a particular DNS name. I don't like this kind of
undecidability.

And at last, it doesn't address the *details*. I.e. how
implementations should distinguish ip addresses from dns names, or
whether or not DNS names should be fully qualified. And it doesn't
allow an implementation to resolve a received name except by using
DNSSec (I may have a trusted /etc/hosts file, or a trusted DNS (but no
DNSSec) server I can access over a trusted local network. Or use some
other mapping mechanism besides names and addresses. NIS+, WINS,
whatever).

Best regards,
/Niels Mller
From owner-ietf-ssh@clinet.fi  Fri Nov 19 22:33:15 1999
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by torni.ssh.fi (8.9.3/8.9.3/SSH-1.14) with ESMTP id WAA01999;
	Fri, 19 Nov 1999 22:33:14 +0200 (EET)
Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7])
	by ssh.fi (8.9.3/8.9.3/SSH-1.16) with ESMTP id WAA23378;
	Fri, 19 Nov 1999 22:33:14 +0200 (EET)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id WAA25968
	for ietf-ssh-outgoing; Fri, 19 Nov 1999 22:26:24 +0200
Received: from yem.jsv.qwest.net (yem.jsv.qwest.net [208.44.135.48])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id WAA25958
	for <ietf-ssh@clinet.fi>; Fri, 19 Nov 1999 22:26:23 +0200
Received: from iconnet.net (localhost [127.0.0.1])
	by yem.jsv.qwest.net (8.9.3/8.9.3) with ESMTP id MAA01500;
	Fri, 19 Nov 1999 12:24:37 -0800 (PST)
Message-Id: <199911192024.MAA01500@yem.jsv.qwest.net>
X-Mailer: exmh version 2.1.0 04/14/1999
To: nisse@lysator.liu.se (Niels M ller)
Cc: Ran Atkinson <rja@corp.home.net>, ietf-ssh@clinet.fi
Subject: Re: Using DNS names 
In-reply-to: nisse's message of 16 Nov 1999 17:45:49 +0100.
             <nnu2mm2xmq.fsf@sanna.lysator.liu.se> 
X-Priority: 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 19 Nov 1999 12:24:36 -0800
From: Frank Cusack <fcusack@iconnet.net>
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 1406
Lines: 36


>>>>> On 16 Nov 1999, "Niels" == Niels Mller wrote:

  Niels> Ran Atkinson <rja@corp.home.net> writes:

  +> I would propose the following change to the I-D:

  +> DELETE "DNS names MUST NOT be used, as DNS is an insecure protocol."

  +> INSERT "Unauthenticated DNS names or other information MUST NOT be
  +> used.  DNS names and other DNS information authenticated via the
  +> mechanisms specified in DNS Security [RFC-2535] MAY be used."

  +> ADD citation for RFC-2535 in REFERENCES section of I-D.

  Niels> This proposal does not quite address the concerns I have.

  Niels> For a start, I don't see how security is improved by forbidding
  Niels> the use of unauthenticated DNS, when we still use insecure DNS as
  Niels> well as unsecured IP on one or both ends of the tcpip tunnel. In

Agreed.

  Niels> And it's difficult or impossible for an implementation to
  Niels> determine whether or not a particular DNS name can be resolved

Agreed. An unimplementable standard is not very useful. However, it might
be useful to have text in the I-D stating that whenever possible, if the
underlying resolver implementation allows the client to know if DNS
information was obtained in a secure and trusted manner, then that client
MAY reject unauthenticated information. BUT, this is probably something
that's better off going into the resolver implementation than an ssh client
implementation.

~f

From owner-ietf-ssh@clinet.fi  Fri Nov 19 22:44:25 1999
Return-Path: <owner-ietf-ssh@clinet.fi>
Received: from ssh.fi (muuri.ssh.fi [192.168.2.254])
	by torni.ssh.fi (8.9.3/8.9.3/SSH-1.14) with ESMTP id WAA17630;
	Fri, 19 Nov 1999 22:44:25 +0200 (EET)
Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7])
	by ssh.fi (8.9.3/8.9.3/SSH-1.16) with ESMTP id WAA23493;
	Fri, 19 Nov 1999 22:44:25 +0200 (EET)
Received: (from majordom@localhost)
	by mail.clinet.fi (8.9.3/8.9.3) id WAA26795
	for ietf-ssh-outgoing; Fri, 19 Nov 1999 22:41:16 +0200
Received: from dragonfly.corp.home.net (dragonfly.corp.home.net [24.0.31.130])
	by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id WAA26787
	for <ietf-ssh@clinet.fi>; Fri, 19 Nov 1999 22:41:05 +0200
Received: from dragonfly.corp.home.net (rja@localhost [127.0.0.1])
	by dragonfly.corp.home.net (8.9.3/8.9.3) with ESMTP id PAA20206;
	Fri, 19 Nov 1999 15:40:25 -0500 (EST)
Message-Id: <199911192040.PAA20206@dragonfly.corp.home.net>
X-Mailer: exmh version 2.1.0 09/18/1999
To: Frank Cusack <fcusack@iconnet.net>
cc: nisse@lysator.liu.se (Niels M ller), Ran Atkinson <rja@corp.home.net>,
        ietf-ssh@clinet.fi, rja@corp.home.net
Subject: Re: Using DNS names 
In-Reply-To: Message from Frank Cusack <fcusack@iconnet.net> 
   of "Fri, 19 Nov 1999 12:24:36 PST." <199911192024.MAA01500@yem.jsv.qwest.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 19 Nov 1999 15:40:25 -0500
From: Ran Atkinson <rja@corp.home.net>
Sender: owner-ietf-ssh@clinet.fi
Precedence: bulk
Content-Length: 299
Lines: 11


It sounds like folks would be happier to s/MUST NOT/SHOULD NOT/
with respect to accepting unauthenticated DNS information.

Saying nothing or approving acceptance of unauthenticated DNS
information both seem like truly bad decisions, unlikely to
get past the IESG Review in any event, IMHO.

Ran


