Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Roy Arends <Roy.Arends@nominum.com> Fri, 06 April 2001 18:08 UTC
Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA16004 for <dnsext-archive@lists.ietf.org>; Fri, 6 Apr 2001 14:08:19 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14laC6-00092X-00 for namedroppers-data@psg.com; Fri, 06 Apr 2001 10:38:46 -0700
Received: from [63.218.17.194] (helo=h236.s254.netsol.com) by psg.com with esmtp (Exim 3.16 #1) id 14laC4-00091v-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 10:38:45 -0700
Received: (from markk@localhost) by h236.s254.netsol.com (8.11.0/8.11.0) id f36GgiN01215 for namedroppers@ops.ietf.org; Fri, 6 Apr 2001 12:42:44 -0400
Received: from shell.nominum.com ([204.152.187.59]) by psg.com with esmtp (Exim 3.16 #1) id 14la9L-0008w0-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 10:35:55 -0700
Received: from localhost (shell.nominum.com [204.152.187.59]) by shell.nominum.com (Postfix) with ESMTP id A7E9731914; Fri, 6 Apr 2001 10:35:39 -0700 (PDT)
Date: Fri, 06 Apr 2001 19:38:29 +0200
From: Roy Arends <Roy.Arends@nominum.com>
To: John Gilmore <gnu@toad.com>
Cc: Miek Gieben <miekg@open.nlnetlabs.nl>, Dan Massey <masseyd@isi.edu>, namedroppers@ops.ietf.org, Randy Bush <randy@psg.com>
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
In-Reply-To: <200104060317.UAA13324@toad.com>
Message-ID: <Pine.BSF.4.21.0104061919000.6699-100000@node10c4d.a2000.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
On Thu, 5 Apr 2001, John Gilmore wrote: > > For host with an A RR that points to the zone-name (instead of > > a hostname under the zone-name) and without any knowledge, this > > clash could happen, but then two unlikely things are happening > > (a system administrator putting his "ipsec/ssh" host at the > > top of his zone and a user whois aware of ipsec/ssh but unaware > > of where to look for the ipsec/ssh key-RR). > > There's nothing wrong with putting an IPSEC KEY record at the top > of a zone, along with the zone keys. That's why the keys have flags > and protocol fields in them, to differentiate the various sorts that > a domain name or host might have. There is nothing wrong with putting IPSEC KEY's in a zone. Just not at the apex. I rather want the zone to be responsible for the SIG(IPSEC KEY) than the Parent zone, which is out of my control. Next to that, a ZONE key is responsible for the whole zone, while IPSEC KEY's are associated with individual hostnames or numbers. I agree with Randy's statement that "in general, we discourage storing non-dns data in the dns.", but thats in my view unrelated to this matter. The DNS is an excellent place to store IPSEC Keys. I strongly encourage using DNS as a PKI (which DNSSEC is), when it comes to these DNS related matters. If one uses DNSSEC to authenticate data which is responsible for mapping hostnames to numbers, why not authenticate data which is responsible for mapping hostkeys to numbers (or vice versa). If I think about it a little further, I can see those as strongly related: DNSSEC for authentication, IPSEC for encryption. Where is IPSEC without DNSSEC. And what else is there to use for IPSEC key distribution ? Where is the redundant, globally distributed and widely used X-509 PKI scheme for that matter ? Regards, Roy Arends Nominum. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Roy Arends
- Re: Signature at parent (draft-ietf-dnsop-parent-… Miek Gieben
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… John Gilmore
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Dan Massey
- DNS vs. non-DNS Data (was Re: Signature at parent… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Randy Bush
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Peter Koch
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis