IETF Logo Mail Archive

Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)

Roy Arends <Roy.Arends@nominum.com> Fri, 06 April 2001 18:08 UTC

Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA16004 for <dnsext-archive@lists.ietf.org>; Fri, 6 Apr 2001 14:08:19 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14laC6-00092X-00 for namedroppers-data@psg.com; Fri, 06 Apr 2001 10:38:46 -0700
Received: from [63.218.17.194] (helo=h236.s254.netsol.com) by psg.com with esmtp (Exim 3.16 #1) id 14laC4-00091v-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 10:38:45 -0700
Received: (from markk@localhost) by h236.s254.netsol.com (8.11.0/8.11.0) id f36GgiN01215 for namedroppers@ops.ietf.org; Fri, 6 Apr 2001 12:42:44 -0400
Received: from shell.nominum.com ([204.152.187.59]) by psg.com with esmtp (Exim 3.16 #1) id 14la9L-0008w0-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 10:35:55 -0700
Received: from localhost (shell.nominum.com [204.152.187.59]) by shell.nominum.com (Postfix) with ESMTP id A7E9731914; Fri, 6 Apr 2001 10:35:39 -0700 (PDT)
Date: Fri, 06 Apr 2001 19:38:29 +0200
From: Roy Arends <Roy.Arends@nominum.com>
To: John Gilmore <gnu@toad.com>
Cc: Miek Gieben <miekg@open.nlnetlabs.nl>, Dan Massey <masseyd@isi.edu>, namedroppers@ops.ietf.org, Randy Bush <randy@psg.com>
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
In-Reply-To: <200104060317.UAA13324@toad.com>
Message-ID: <Pine.BSF.4.21.0104061919000.6699-100000@node10c4d.a2000.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

On Thu, 5 Apr 2001, John Gilmore wrote:

> > For host with an A RR that points to the zone-name (instead of
> > a hostname under the zone-name) and without any knowledge, this
> > clash could happen, but then two unlikely things are happening
> > (a system administrator putting his "ipsec/ssh" host at the
> > top of his zone and a user whois aware of ipsec/ssh but unaware
> > of where to look for the ipsec/ssh key-RR).
> 
> There's nothing wrong with putting an IPSEC KEY record at the top
> of a zone, along with the zone keys.  That's why the keys have flags
> and protocol fields in them, to differentiate the various sorts that
> a domain name or host might have.

There is nothing wrong with putting IPSEC KEY's in a zone. Just not at the
apex. I rather want the zone to be responsible for the SIG(IPSEC KEY) than
the Parent zone, which is out of my control. Next to that, a ZONE key is
responsible for the whole zone, while IPSEC KEY's are associated with
individual hostnames or numbers. 

I agree with Randy's statement that "in general, we discourage storing
non-dns data in the dns.", but thats in my view unrelated to this matter.
The DNS is an excellent place to store IPSEC Keys. I strongly encourage
using DNS as a PKI (which DNSSEC is), when it comes to these DNS related
matters. If one uses DNSSEC to authenticate data which is responsible for
mapping hostnames to numbers, why not authenticate data which is
responsible for mapping hostkeys to numbers (or vice versa). If I think
about it a little further, I can see those as strongly related: DNSSEC for
authentication, IPSEC for encryption. Where is IPSEC without DNSSEC. And
what else is there to use for IPSEC key distribution ? Where is the
redundant, globally distributed and widely used X-509 PKI scheme for that
matter ?

Regards,

Roy Arends
Nominum.








to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.23.0 | Report a Bug | By Email