Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.txt

Jakob Schlyter <jakob@crt.se> Sat, 21 July 2001 10:40 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Jakob Schlyter <jakob@crt.se>
To: Brian Wellington <Brian.Wellington@nominum.com>
Cc: Roy Arends <Roy.Arends@nominum.com>, namedroppers@ops.ietf.org, ogud@ogud.com
Subject: Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.txt
In-Reply-To: <E15NfCd-000GgF-00@psg.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15NrEU-00077m-00@psg.com>
Date: Sat, 21 Jul 2001 00:31:26 -0700
Content-Transfer-Encoding: 7bit

On Fri, 20 Jul 2001, Brian Wellington wrote:

> If you don't trust the on-disk zone data, why would you trust anything
> else about the server?

the data on-disk is signed, that's why you perhaps trust it - not because
it is on disk. you might not even generate or sign the zonefile yourself,
it could be done by some other entity.

I agree with Roy; setting the AD bit without cryptographic verification is
wrong and we should not encourage that.

> Treating on-disk signed data as "Authenticated"  is reasonable behavior,
> and a server may choose to implement this policy.

is it still reasonable to treat the data as "Authenticated" when the
signatures has expired?

	jakob

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.txt Internet-Drafts
Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.… Brian Wellington
Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.… Brian Wellington
Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.… Jakob Schlyter
Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-03.… Roy Arends