IETF Logo Mail Archive

Re: [secdir] volunteer for draft-rafiee-intarea-cga-tsig

Jeffrey Hutzelman <jhutz@cmu.edu> Wed, 20 February 2013 21:04 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F27E21E803F for <secdir@ietfa.amsl.com>; Wed, 20 Feb 2013 13:04:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.476
X-Spam-Level:
X-Spam-Status: No, score=-106.476 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2O+y6KBqveH for <secdir@ietfa.amsl.com>; Wed, 20 Feb 2013 13:04:01 -0800 (PST)
Received: from smtp02.srv.cs.cmu.edu (SMTP02.SRV.CS.CMU.EDU [128.2.217.197]) by ietfa.amsl.com (Postfix) with ESMTP id 5A1AE21E803A for <secdir@ietf.org>; Wed, 20 Feb 2013 13:04:01 -0800 (PST)
Received: from [128.2.193.239] (minbar.fac.cs.cmu.edu [128.2.193.239]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id r1KL3vch019490 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 20 Feb 2013 16:03:57 -0500 (EST)
Message-ID: <1361394237.9132.27.camel@minbar.fac.cs.cmu.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>
Date: Wed, 20 Feb 2013 16:03:57 -0500
In-Reply-To: <17096_1361317158_r1JNdHtt017963_tslip5n27s4.fsf@mit.edu>
References: <5123E350.4040809@ieca.com> <17096_1361317158_r1JNdHtt017963_tslip5n27s4.fsf@mit.edu>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.3-0ubuntu6
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Scanned-By: mimedefang-cmuscs on 128.2.217.197
Cc: secdir@ietf.org, Ralph Droms <rdroms.ietf@gmail.com>, jhutz@cmu.edu
Subject: Re: [secdir] volunteer for draft-rafiee-intarea-cga-tsig
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 21:04:02 -0000

On Tue, 2013-02-19 at 18:39 -0500, Sam Hartman wrote:

> Section 3 contains a number of claims regarding protecting the exchanges
> between the resolver and client. Is tsig actually used for DNS
> resolution or just for update/zone transfer?

Yes, TSIG can be used for resolution.  I run caching servers this way in
production, such that TSIG is used for queries from those servers to the
authoritative servers for my own zones.  Among other things, we use this
to extend the notion of multiple views visible to different clients into
the caches, such that the same set of caching servers cache multiple
views.

-- Jeff

v2.23.0 | Report a Bug | By Email