[DNSOP] new Resource record?
"Hosnieh Rafiee" <ietf@rozanak.com> Wed, 09 December 2015 20:26 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B4B1A1B3E for <dnsop@ietfa.amsl.com>; Wed, 9 Dec 2015 12:26:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-z7F0LU_mQw for <dnsop@ietfa.amsl.com>; Wed, 9 Dec 2015 12:26:02 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 659321A1B4A for <DNSOP@ietf.org>; Wed, 9 Dec 2015 12:26:02 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 6624025CA052 for <DNSOP@ietf.org>; Wed, 9 Dec 2015 20:26:00 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdyiGlJzPNOs for <DNSOP@ietf.org>; Wed, 9 Dec 2015 21:25:27 +0100 (CET)
Received: from kopoli (p200300864F79677C84E021A055B0AA04.dip0.t-ipconnect.de [IPv6:2003:86:4f79:677c:84e0:21a0:55b0:aa04]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 13F5925CA03E for <DNSOP@ietf.org>; Wed, 9 Dec 2015 21:25:27 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: DNSOP@ietf.org
Date: Wed, 09 Dec 2015 21:25:18 +0100
Message-ID: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdEyv7aD6nZ+g9mPSHqaCo8eUobTVA==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/vi1jWCT-XbdFKNGukJEeOdu3XPw>
Subject: [DNSOP] new Resource record?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 20:26:04 -0000
Hi, Since DNS is a very important service on the internet, for several security processes, it can be used as a powerful system. So far, some resource records were proposed for certificates, keys and other values. I would like to suggest the following format (this is the rough version and it is not exact but only giving you an idea that what is the purpose) for a new resource record to store the reference information of bounding of authentication and authorization where authentication can be based on public keys or certificates. This means each reference no represents an actual policy template in other security system or other services. This means if a certificates bound to more than one references, then more than one of this section is added to RDATA section of the DNS query. This also should be updatable by the DDNS protocol. BTW, I skipped the header and other parts of RR and this part is only the RDATA section. ----------------------- |flag| reference no | ----------------------- | some human readable | | text | ----------------------- The processes are also simple, when a node query the certificates, DNS server also includes this RR if it exists on the DNS server so that when the querier retrieves this information, it can query other services for the given value to authorize the other host on the network. Is DNSOP a right place for that? I asked DANE and they said it Is not in their charter. If not, please tell me where is the right place. If yes, please tell me what do you think about that and whether or not you support it to draft it. Thank you, Best, Hosnieh
- Re: [DNSOP] new Resource record? Patrik Fältström
- [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Jared Mauch
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Edward Lewis
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Hosnieh Rafiee
- Re: [DNSOP] new Resource record? Jared Mauch
- Re: [DNSOP] new Resource record? Viktor Dukhovni
- Re: [DNSOP] new Resource record? Hosnieh Rafiee