On 4/19/13, Dave Crocker <dhc2@dcrocker.net> wrote:
On 4/19/2013 4:33 PM, Jimmy Hess wrote: [snip] Absent a view that somehow says all metadata is a security function, I don't see how the marking of administrative boundaries qualifies as a security function.
The security function comes in immediately, when you consider any actual uses for said kind of metadata. The issues are alleviated only by assuming that an administrative division always exists, unless you can show otherwise, and showing that the records are in the same zone is one way of showing otherwise. When you come to rely on it, there are new security issues. It becomes such that; It is perfectly safe to assume that there is an administrative division when there is not (in the worst case, you break some desired function, such as the sharing of cookies across subdomains within the same administrative boundary). But if you assume no administrative division exists, when there is supposed to be one -- you have some kind of access control permit leakage or data leaking through permissions that are supposed to block operations across the administrative boundaries. Only a zone signed with DNSSEC can really be trusted not to be tampered with; therefore, any declaration of an administrative division cannot be proven, and should not be relied upon, if any parent zone up the tree is not signed with delegation validated using signed records.
Let's be careful not to overload functions here.
The function becomes pretty useless, if you cannot safely rely on it in the real world. Because tampering can occur through lack of integrity validation, Or by a child domain claiming to not be administratively divided (when actually, there is supposed to be an administrative division). In those cases, a static list is safer.
d/ -- -JH