Re: [Hipsec] HIT to IP in DNS

"Henderson, Thomas R" <> Wed, 21 January 2009 16:10 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 3B2243A6BE7; Wed, 21 Jan 2009 08:10:24 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A31028C154 for <>; Wed, 21 Jan 2009 08:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.689
X-Spam-Status: No, score=-5.689 tagged_above=-999 required=5 tests=[AWL=0.910, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dmyapImqcB+7 for <>; Wed, 21 Jan 2009 08:10:17 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 860513A699F for <>; Wed, 21 Jan 2009 08:10:17 -0800 (PST)
Received: from ( []) by (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n0LG9lWq011027 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 21 Jan 2009 10:09:48 -0600 (CST)
Received: from (localhost []) by (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n0LG9kk6014982; Wed, 21 Jan 2009 08:09:46 -0800 (PST)
Received: from ( []) by (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n0LG9jQ1014893; Wed, 21 Jan 2009 08:09:46 -0800 (PST)
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.3959); Wed, 21 Jan 2009 08:09:35 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 21 Jan 2009 08:09:34 -0800
Message-ID: <>
In-Reply-To: <>
Thread-Topic: [Hipsec] HIT to IP in DNS
Thread-Index: Acl6i7U8OYR9FCdDQ1S1+W33gCAO4wBVG4Fg
References: <>
From: "Henderson, Thomas R" <>
To: "Oleg Ponomarev" <>, <>
X-OriginalArrivalTime: 21 Jan 2009 16:09:35.0328 (UTC) FILETIME=[A71CD600:01C97BE2]
Subject: Re: [Hipsec] HIT to IP in DNS
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: Hi Oleg,

A few comments below.

> -----Original Message-----
> From: Oleg Ponomarev [] 
> Sent: Monday, January 19, 2009 3:14 PM
> To:
> Subject: [Hipsec] HIT to IP in DNS
> Hi!
> I just submitted an initial version of a draft[1] to specify 
> one of the 
> methods used in HIPL[2] to do the HIT->current IP addresses 
> resolution. 
> This is needed to run legacy applications.

I disagree that this is strictly needed to run legacy applications.
Perhaps "may be useful" instead of "needed"?

> Briefly: query A/AAAA 
> and allow their changes from the 
> corresponding HIT.
> Your comments are appreciated as usual.

You are really talking about defining domain names based on HITs and
storing them in a well known domain.  Maybe the title could be
simplified to "Storing HITs as domain names in the DNS".

What if the target end system uses an RVS?  

   2.1. Preconfigured Domain
   The systems using this method MUST have the same domain pre-
   configured, for example  

It seems like this could be slightly relaxed to state that systems MUST
share at least one top-level domain storing the HITs, since it is
conceivable that more than one server (name service provider) could be
used, and records could be looked up at multiple places.

   2.4  Managing the Records
   The system MAY send DNS UPDATE[RFC2136] to the server provided by SOA
   MNAME field of the domain.  The system MUST use HIT as the source
   address in this case.  

Can you clarify what "source address" you are talking about above?

   The system MAY add or delete A/AAAA or CNAME
   records for its own HIT representation.  The domain provided in SOA
   MNAME field of the preconfigured domain MUST have Host Identity of
   the server stored in DNS, the IP addresses MUST be listed in that
   domain using suggested method and the server MUST accept DNS UPDATE
   messages, which add or delete A/AAAA or CNAME records for the HIT
   representation of the client after successfull HIP base exchange.

It might be helpful to clarify that the HIP base exchange here serves to
authenticate the origin of the DNS UPDATE, from the server's

Also, DHTs are an alternative lookup mechanism that can be used in this
scenario; it would be helpful to reference that draft:

- Tom
Hipsec mailing list