Re: PKS, and the DV/MD choice...

Mathew Lodge <> Thu, 01 May 1997 19:12 UTC

Received: from cnri by id aa26476; 1 May 97 15:12 EDT
Received: from by CNRI.Reston.VA.US id aa10572; 1 May 97 15:12 EDT
Received: from mailing-list by (8.6.9/1.0) id FAA17566; Fri, 2 May 1997 05:00:24 +1000
Received: from munnari.OZ.AU by (8.6.9/1.0) with SMTP id EAA17526; Fri, 2 May 1997 04:38:01 +1000
Received: from by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56) id SA07260; Fri, 2 May 1997 04:38:00 +1000 (from
Received: from ( []) by (8.8.5/CISCO.SERVER.1.2) with SMTP id LAA08680 for <>; Thu, 1 May 1997 11:37:43 -0700 (PDT)
Message-Id: <>
X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
Date: Thu, 01 May 1997 11:37:17 -0700
From: Mathew Lodge <>
Subject: Re: PKS, and the DV/MD choice...
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk

Christian Huitema wrote:
>So, we want secure connectivity information, saying essentially that "net
>X is connected to AS Y".  One option is to modify BGP-6 to carry
>certificates. But this is overkill -- the connectivity information is
>static, about as static as address assignment.  Why not just place it in
>the DNS ? The inverse domains can be secured by DNS sec, with delegation
>traceable all the way up to the IANA.  We could easily place an AS record
>in that hierarchy, e.g. "* AS IN 12345".  That would allow
>instant checks by just looking in the DNS, and a path to escalation in
>paranoia land for the security conscious.

This would be fine but for the fact that changes to DNS delegations are not
authenticated themselves. As an example, when working for my previous
employer, the tier-1 ISP providing one of our Internet links told the
InterNIC that it ran primary DNS for our domains. Needless to say, it did
not, but no-one bothered to check. The lack of information in this ISP's
DNS files about our hosts and networks effectively "removed" us from the
Internet for several days, until the correct DNS information was propagated
back out into the Internet.

So, even if you have delegation traceable back to IANA... who's to say that
the correct delegators are members of the chain? The tier-1 ISP could have
signed its DNS information, which would have made it authenticated as far
as DNS sec is concerned -- but it still would have been bogus info.

| Mathew Lodge, Product Manager, Cisco Systems  |
|; Phone: +1 408 527 4908      |
| Fax: +1 408 527 2383				|