[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ike and secure DNS
In message <200010111025.DAA06812@zed.isi.edu>, Bill Manning writes:
> A couple academic projects, TBDS and FMESHD, are either dependent on
> working DNSSEC or leverage DNSSEC for key exchange, while the upcoming
> DNSSEC workshop on the 25th in WDC will be evaluating DNSSEC viability
> in the ip6.int tree. If that can be shown to be stable, it can act as
> a precursor to a signed in-addr.arpa. and other address-name trees.
> I think this is what is needed to exploit any IKE/ipsec & DNS interactions
> since that will give us a "chain-of-custody" up the delegation heirarchy.
> Does Free/SWAN have this as a shared goal?
I'd love to see any sort of secure address-to-entity map. But there
seems to be considerable uncertainty about who actually owns various
chunks of address space. Is the database clean enough that it's worth
signing? I sure don't get that impression from, say, the NANOG list.
--Steve Bellovin
Follow-Ups: