[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike and secure DNS

To: Derek Atkins <warlord@mit.edu>
Subject: Re: ike and secure DNS
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Wed, 11 Oct 2000 11:10:27 -0400
Cc: Bill Manning <bmanning@ISI.EDU>, hugo@ee.technion.ac.il (Hugo Krawczyk), henry@spsystems.net (Henry Spencer), ipsec@lists.tislabs.com (ipsec)
Sender: owner-ipsec@lists.tislabs.com

In message <sjm8zrvju58.fsf@indiana.mit.edu>, Derek Atkins writes:
>"Steven M. Bellovin" <smb@research.att.com> writes:
>
>> I'd love to see any sort of secure address-to-entity map.  But there 
>> seems to be considerable uncertainty about who actually owns various 
>> chunks of address space.  Is the database clean enough that it's worth 
>> signing?  I sure don't get that impression from, say, the NANOG list.
>
>Perhaps a small change to what it means to "sign" a zone?  If the "root"
>could sign my NS records (which "they" own), and my key record (which "I"
>own, but supply to them the same way I supply my NS records), then this
>works.
>
>But I doubt NSI is willing to accept a KEY record or sign it.  Let alone
>sign my NS records.

My point is that the records of who owns (or has the delegation for, if 
you prefer) address blocks are not very good.  Why sign something that 
isn't correct to start with?

		--Steve Bellovin

Follow-Ups:

Re: ike and secure DNS

From: Bill Manning <bmanning@ISI.EDU>

Re: ike and secure DNS

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: charter question re IKE changes
Next by Date: Re: ike and secure DNS
Prev by thread: Re: ike and secure DNS
Next by thread: Re: ike and secure DNS
Index(es):
- Main
- Thread