The authors believes this RR to not cause any new security problems.
Some problems become more visible, though.
- The ability to specify ports on a fine-grained basis obviously
changes how a router can filter packets. It becomes impossible
to block internal clients from accessing specific external
services, slightly harder to block internal users from running
unautorised services, and more important for the router
operations and DNS operations personnel to cooperate.
- There is no way a site can keep its hosts from being referenced
as servers (as, indeed, some sites become unwilling secondary
MXes today). This could lead to denial of service.
- With SRV, DNS spoofers can supply false port numbers, as well as
host names and addresses. The authors do not see any practical
effect of this.
We assume that as the DNS-security people invent new features, DNS
servers will return the relevant RRs in the Additional Data section
when answering an SRV query.
