[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC for IPSEC?



-----BEGIN PGP SIGNED MESSAGE-----


In message <199607260645.XAA00284@imo.plaintalk.bellevue.wa.us>, Dennis Glattin
g writes:
>
>There is an issue. Storing the private key off-line is not
>a deterrent: the mischievous person simply generates a
>new key pair and re-signs the zone.

Which would generate a million alarms as the signature created by this
new key does not verify under the old public key (the legitimate one).
There is this small issue of key distribution/revocation you see. So
one would have to break/acquire/bribe to get the key pairs of the
entities that would sign the root's public key (i assume there will be
such safety precautions).

>The value of DNS-SEC is if everyone uses it. Until that
>time, which may be a decade or more down the road,
>resolvers are going to have to trust any response,
>thereby reducing DNS-SEC's value to a simple checksum.
>
This is partly true; while IPSEC cannot depend on DNSSEC at this
point, it makes sense (very much so) to have full support for it and
"complain" whenever it is not available (logs, popup windows, your pick).

>I question the value of using DNS-SEC to aid IPSEC.
>Coupled with the issues I noted, and more I have not noted,
>there is an open validation issue and little, if any,
>operational experience. I am not convinced DNS-SEC will
>offer much value for many years.
>
I would be interested in hearing the not noted issues, as would most
in this list i believe.
Regards,
- -Angelos

-----BEGIN PGP SIGNATURE-----
Version: 2.6
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBMfjUGL0pBjh2h1kFAQEAUwP9EWoHMJ3y8KsS9qyDtIcts35ngSZeKaMf
GNBdmypfw2a2nThesXtXa2YkZfLNdpG21qUesvSOMNMMglFYn1AO6Yx5kf0gASM4
wAR42xfHWxZo2u099bL1nViP4L3zPxJFupz6Vo+kaDJbOxzpckX/ho1ecFFTn0BS
7gqOjxojkXw=
=7Ezz
-----END PGP SIGNATURE-----


Follow-Ups: References: