On Tue, 2011-07-26 at 09:50 -0700, Rick Wesson wrote:
> [snip]
> 
> > I totally agree, however I don't think DNS-based resolving is a good
> > idea here.  HTTPS does have several advantages over a DNSSEC-based
> > solution without any significant drawbacks that I can see.
> 
> To restate your (con dnssec) points:
>    o DNS resolution of bitcoin addresses is bad because of potential
> MITM attacks
>    o DNSSEC is not a security measure for mitigating DNS resolution of
> bitcoin addresses
>       because the application would require its own dnssec enabled stub resolver
That is one point, but yes.
> 
> Please restate
>    o HTTPS is your preferred method for resolution because?
Because it allows for the giving of different addresses to each client
based on IP much easier.  Its possible with DNS by setting TTL to 0 and
hoping that Bitcoin clients will be using their own resolver, but that
is far from guaranteed.  Additionally, HTTPS stuff has already been
coded and implemented, so there's that...

Frankly, HTTPS' advantages are very small here, but since they exist,
and DNS has no advantages that I can see, I don't see any reason to go
with DNS here.  I much prefer using a HTTPS library (of which there are
many which have had much more thorough security audits) than a
DNSSEC-implementing DNS recursion library with the root trust anchors
and root servers built-in (are there any?).

Maybe I'm missing something here?

Matt