[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike and secure DNS

To: Bill Manning <bmanning@ISI.EDU>
Subject: Re: ike and secure DNS
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Wed, 11 Oct 2000 10:28:46 -0400
Cc: hugo@ee.technion.ac.il (Hugo Krawczyk), henry@spsystems.net (Henry Spencer), ipsec@lists.tislabs.com (ipsec)
Sender: owner-ipsec@lists.tislabs.com

In message <200010111025.DAA06812@zed.isi.edu>, Bill Manning writes:
> A couple academic projects, TBDS and FMESHD, are either dependent on
> working DNSSEC or leverage DNSSEC for key exchange, while the upcoming
> DNSSEC workshop on the 25th in WDC will be evaluating DNSSEC viability
> in the ip6.int tree. If that can be shown to be stable, it can act as
> a precursor to a signed in-addr.arpa. and other address-name trees.
> I think this is what is needed to exploit any IKE/ipsec & DNS interactions
> since that will give us a "chain-of-custody" up the delegation heirarchy.
> Does Free/SWAN have this as a shared goal?

I'd love to see any sort of secure address-to-entity map.  But there 
seems to be considerable uncertainty about who actually owns various 
chunks of address space.  Is the database clean enough that it's worth 
signing?  I sure don't get that impression from, say, the NANOG list.

		--Steve Bellovin

Follow-Ups:

Re: ike and secure DNS

From: Bill Manning <bmanning@ISI.EDU>

Re: ike and secure DNS

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Definition of PFS...
Next by Date: Re: Simplifying IKE (was RE: Reliable delete notifies)
Prev by thread: Re: ike and secure DNS
Next by thread: Re: ike and secure DNS
Index(es):
- Main
- Thread