Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Peter Koch <pk@TechFak.Uni-Bielefeld.DE> Fri, 06 April 2001 18:07 UTC
Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA15951 for <dnsext-archive@lists.ietf.org>; Fri, 6 Apr 2001 14:07:12 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14la50-0008kU-00 for namedroppers-data@psg.com; Fri, 06 Apr 2001 10:31:26 -0700
Received: from [63.218.17.194] (helo=h236.s254.netsol.com) by psg.com with esmtp (Exim 3.16 #1) id 14la4z-0008kO-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 10:31:25 -0700
Received: (from markk@localhost) by h236.s254.netsol.com (8.11.0/8.11.0) id f36GZPd01114 for namedroppers@ops.ietf.org; Fri, 6 Apr 2001 12:35:25 -0400
Received: from gemma.techfak.uni-bielefeld.de ([129.70.136.103]) by psg.com with esmtp (Exim 3.16 #1) id 14lZ9Z-0006Cx-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 09:32:05 -0700
Received: from grimsvotn.TechFak.Uni-Bielefeld.DE (grimsvotn.TechFak.Uni-Bielefeld.DE [129.70.137.40]) by gemma.TechFak.Uni-Bielefeld.DE (8.9.1/8.9.1/TechFak/pk+ro20000427) with SMTP id SAA15605; Fri, 6 Apr 2001 18:32:03 +0200 (MET DST)
Received: from localhost by grimsvotn.TechFak.Uni-Bielefeld.DE (SMI-8.6/pk19971205) id SAA23547; Fri, 6 Apr 2001 18:32:03 +0200
Message-Id: <200104061632.SAA23547@grimsvotn.TechFak.Uni-Bielefeld.DE>
To: Ted.Lindgreen@tednet.nl
Cc: namedroppers@ops.ietf.org
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
In-reply-to: Your message of "Fri, 06 Apr 2001 15:01:04 +0200." <200104061301.f36D14s95349@open.nlnetlabs.nl>
X-Organization: Uni Bielefeld, Technische Fakultaet
X-Phone: +49 521 106 2902
Date: Fri, 06 Apr 2001 18:32:03 +0200
From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
> The problems with it are: > > 1. Inflexibility: [...] > 2. Cost: [...] > 3. Liability: > He, who signs, must make sure that he knows he is signing, and > must accept some responsibility for it (otherwise the signature > is worthless). I think a TLD should accept the responsibility for > a proper delegation of a domain, but I don't think the TLD will > accept the responsibility for local stuff like IPSEC-KEYS under > those already delegated domains. While I agree with (1) and (2), this statement sounds dangerous. SIG RRs have a purpose defined and restricted by the "protocol" octet in the corresponding KEY RR. SIGnatures for DNSSEC purposes provide for data origin authentication. They do not say anything about applicability or correctness of the signed data. So, a child's non-zone KEY RR SIGned by the DNSSEC key of the parent zone is not 'certified' w.r.t. the protocol it is made for. The normal resolution/verification process would only accept the child's SIG for the KEY RR, wouldn't it? -Peter to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Roy Arends
- Re: Signature at parent (draft-ietf-dnsop-parent-… Miek Gieben
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… John Gilmore
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Dan Massey
- DNS vs. non-DNS Data (was Re: Signature at parent… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Randy Bush
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Peter Koch
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis