[dane] Bootstrapping IPSec from DNSSSEC/DANE
david.lloyd@fsmail.net Sat, 21 September 2013 11:31 UTC
Return-Path: <david.lloyd@fsmail.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88BBE11E8151 for <dane@ietfa.amsl.com>; Sat, 21 Sep 2013 04:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.501
X-Spam-Level:
X-Spam-Status: No, score=0.501 tagged_above=-999 required=5 tests=[BAYES_50=0.001, SARE_FREE_WEBM_NetFs=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEJlQHLpPs5U for <dane@ietfa.amsl.com>; Sat, 21 Sep 2013 04:31:10 -0700 (PDT)
Received: from smtpout.wanadoo.co.uk (smtpout5.wanadoo.co.uk [80.12.242.80]) by ietfa.amsl.com (Postfix) with ESMTP id 7F63611E814E for <dane@ietf.org>; Sat, 21 Sep 2013 04:31:09 -0700 (PDT)
Received: from wwinf3706 ([10.232.27.33]) by mwinf5d65 with ME id TnX81m0060irfA203nX8S2; Sat, 21 Sep 2013 13:31:08 +0200
Date: Sat, 21 Sep 2013 13:31:08 +0200
From: david.lloyd@fsmail.net
To: ipsec@ietf.org, dane@ietf.org
Message-ID: <22017290.30831379763068147.JavaMail.www@wwinf3706>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [86.26.3.116]
X-Wum-Nature: EMAIL-NATURE
X-WUM-FROM: |~|
X-WUM-TO: |~||~|
X-WUM-REPLYTO: |~|
Subject: [dane] Bootstrapping IPSec from DNSSSEC/DANE
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: david.lloyd@fsmail.net
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2013 11:31:16 -0000
Hi, I am interested in using a variant of DANE to bootstrap my IPSec IKE root certificate trust. Is anyone aware of any work been done in this area? >From my understanding, it looks as though the is no technical issue with using reverse DNS lookup for the IPSec target machine with DNSSec (although this may be a little unreliable on the "real-world" internet), so returning standard DANE entries for the IPSec certificate. Then I would simply use these as part of the standard IPSec certificate validation algorithm. Looking at similar proposed applications of DANE, such as the draft-ietf-dane-srv, mostly this involves defining an appropriate protocol query name (for example _ipsec.123.123.123.123.in-addr.arpa). Is this something that would fit into an existing document either from the IKE side or the DANE side? Or would it be worth me creating an more extensive proposal? Regards, David L P.S. Sorry for cross-signing two lists!
- [dane] Bootstrapping IPSec from DNSSSEC/DANE david.lloyd
- Re: [dane] Bootstrapping IPSec from DNSSSEC/DANE Yoav Nir
- Re: [dane] Bootstrapping IPSec from DNSSSEC/DANE James Cloos
- Re: [dane] [IPsec] Bootstrapping IPSec from DNSSS… Paul Wouters
- [dane] Bootstrapping IPSec from DNSSSEC/DANE david.lloyd
- Re: [dane] [IPsec] Bootstrapping IPSec from DNSSS… Paul Wouters
- Re: [dane] Bootstrapping IPSec from DNSSSEC/DANE Alex Maurin