On 2024-03-22 10:10:29 +1000, David Schinazi wrote:
> > PS: which are the stakeholders contacted while the relevant standards
> > brought in such hazardous default?
>
>
> These RFCs went through the IETF Standards Track process, so the entire
> IETF community was consulted when this was finalized around 2011-2012.
>
> I'd like to understand why you think this is hazardous though. mDNS only
> applies to host names under .local - those names are not covered by DNSSEC,
> and therefore any queries for them are always sent completely insecure.
> Sending those queries over the wire to the configured DNS resolver has very
> similar security properties to sending them over the wire as multicast.

Please ignore my comment from the peanut gallery if it is totally off, but is it
not a difference between being able to do MitM (for regular non-DNSSEC DNS) and
just being on the same network (multicast)?  So the former only router/gateway
can do, the latter anyone able to respond to the multicast?  Assuming my
understanding is correct, that does not seem "very similar security properties".

Have a nice day,
Tomas Volf

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.