Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
John Gilmore <gnu@toad.com> Fri, 06 April 2001 12:00 UTC
Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA07834 for <dnsext-archive@lists.ietf.org>; Fri, 6 Apr 2001 08:00:25 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14lUUp-000KF5-00 for namedroppers-data@psg.com; Fri, 06 Apr 2001 04:33:43 -0700
Received: from rip.psg.com ([147.28.0.39] ident=exim) by psg.com with esmtp (Exim 3.16 #1) id 14lUUo-000KEz-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 04:33:42 -0700
Received: from randy by rip.psg.com with local (Exim 3.16 #1) id 14lUUo-000FsD-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 04:33:42 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200104060317.UAA13324@toad.com>
X-Authentication-Warning: toad.com: Host localhost [127.0.0.1] didn't use HELO protocol
To: Miek Gieben <miekg@open.nlnetlabs.nl>
cc: Dan Massey <masseyd@isi.edu>, namedroppers@ops.ietf.org, gnu@toad.com
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
In-reply-to: <20010405154908.A92004@open.nlnetlabs.nl>
Date: Thu, 05 Apr 2001 20:17:14 -0700
From: John Gilmore <gnu@toad.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit
> For host with an A RR that points to the zone-name (instead of > a hostname under the zone-name) and without any knowledge, this > clash could happen, but then two unlikely things are happening > (a system administrator putting his "ipsec/ssh" host at the > top of his zone and a user whois aware of ipsec/ssh but unaware > of where to look for the ipsec/ssh key-RR). There's nothing wrong with putting an IPSEC KEY record at the top of a zone, along with the zone keys. That's why the keys have flags and protocol fields in them, to differentiate the various sorts that a domain name or host might have. The parent that signs the KEY records at a zone top should be prepared to sign any number of KEY records in the RRset, with any flags desired by the zone owner. The signature is defined to be on the entire RRset, there is no way for the parent to "just sign the zone key". My zone, toad.com, will one day have both a zone key and an IPSEC key. That RRset will be signed by the parent zone, assuming it isn't VeriSign. (VeriSign will probably try to charge big bucks for signing your zone, since they currently charge big bucks for signing your SSL key, and signed DNS keys could easily obsolete SSL certificates. I think they bought NSI to be able to make money either way.) Many SLDs have a web server at the SLD (e.g. slashdot.org as well as www.slashdot.org). If it supports IPSEC, its key will be there; if it supports SSL, its key could be there in the DNS, etc. There is no reason for TLD DNSSEC automation to refuse to sign RRsets that contain keys like this. And many reasons, generality and non-discrimination being the most obvious, to sign whatever keys the lower zone wants to put at its top label. It does own its zone, and should be able to control its contents... John Gilmore PS: The last few releases of the FreeS/WAN software (www.freeswan.org) contain support for fetching keys out of the DNS, and the current snapshot contains prototype code for attempting opportunistic encryption using such keys. (Opportunistic encryptors see if an IPSEC key is published for any destination IP address, and if so, attempt to negotiate a tunnel before sending any packets to it.) to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Roy Arends
- Re: Signature at parent (draft-ietf-dnsop-parent-… Miek Gieben
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… John Gilmore
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Dan Massey
- DNS vs. non-DNS Data (was Re: Signature at parent… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Randy Bush
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Peter Koch
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis