IETF Logo Mail Archive

Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)

John Gilmore <gnu@toad.com> Fri, 06 April 2001 12:00 UTC

Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA07834 for <dnsext-archive@lists.ietf.org>; Fri, 6 Apr 2001 08:00:25 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14lUUp-000KF5-00 for namedroppers-data@psg.com; Fri, 06 Apr 2001 04:33:43 -0700
Received: from rip.psg.com ([147.28.0.39] ident=exim) by psg.com with esmtp (Exim 3.16 #1) id 14lUUo-000KEz-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 04:33:42 -0700
Received: from randy by rip.psg.com with local (Exim 3.16 #1) id 14lUUo-000FsD-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 04:33:42 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200104060317.UAA13324@toad.com>
X-Authentication-Warning: toad.com: Host localhost [127.0.0.1] didn't use HELO protocol
To: Miek Gieben <miekg@open.nlnetlabs.nl>
cc: Dan Massey <masseyd@isi.edu>, namedroppers@ops.ietf.org, gnu@toad.com
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
In-reply-to: <20010405154908.A92004@open.nlnetlabs.nl>
Date: Thu, 05 Apr 2001 20:17:14 -0700
From: John Gilmore <gnu@toad.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

> For host with an A RR that points to the zone-name (instead of
> a hostname under the zone-name) and without any knowledge, this
> clash could happen, but then two unlikely things are happening
> (a system administrator putting his "ipsec/ssh" host at the
> top of his zone and a user whois aware of ipsec/ssh but unaware
> of where to look for the ipsec/ssh key-RR).

There's nothing wrong with putting an IPSEC KEY record at the top
of a zone, along with the zone keys.  That's why the keys have flags
and protocol fields in them, to differentiate the various sorts that
a domain name or host might have.

The parent that signs the KEY records at a zone top should be prepared
to sign any number of KEY records in the RRset, with any flags desired
by the zone owner.  The signature is defined to be on the entire
RRset, there is no way for the parent to "just sign the zone key".

My zone, toad.com, will one day have both a zone key and an IPSEC key.
That RRset will be signed by the parent zone, assuming it isn't VeriSign.
(VeriSign will probably try to charge big bucks for signing your zone,
since they currently charge big bucks for signing your SSL key, and
signed DNS keys could easily obsolete SSL certificates.  I think they 
bought NSI to be able to make money either way.)

Many SLDs have a web server at the SLD (e.g. slashdot.org as well
as www.slashdot.org).  If it supports IPSEC, its key will be there;
if it supports SSL, its key could be there in the DNS, etc.

There is no reason for TLD DNSSEC automation to refuse to sign RRsets
that contain keys like this.  And many reasons, generality and
non-discrimination being the most obvious, to sign whatever keys the
lower zone wants to put at its top label.  It does own its zone, and
should be able to control its contents...

	John Gilmore

PS: The last few releases of the FreeS/WAN software (www.freeswan.org)
contain support for fetching keys out of the DNS, and the current
snapshot contains prototype code for attempting opportunistic
encryption using such keys.  (Opportunistic encryptors see if an IPSEC
key is published for any destination IP address, and if so, attempt to
negotiate a tunnel before sending any packets to it.)


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.23.0 | Report a Bug | By Email