[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike and secure DNS

To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: ike and secure DNS
From: Henry Spencer <henry@spsystems.net>
Date: Wed, 11 Oct 2000 11:15:57 -0400 (EDT)
In-Reply-To: <200010111025.DAA06812@zed.isi.edu>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 11 Oct 2000, Bill Manning wrote:
>  ...DNSSEC workshop on the 25th in WDC will be evaluating DNSSEC viability
>  in the ip6.int tree. If that can be shown to be stable, it can act as
>  a precursor to a signed in-addr.arpa. and other address-name trees.
>  I think this is what is needed to exploit any IKE/ipsec & DNS interactions
>  since that will give us a "chain-of-custody" up the delegation heirarchy.
>  Does Free/SWAN have this as a shared goal?

Correct -- we want to use secure DNS for key distribution and lookup,
which means having some way of tracing signatures back to a known-good one
(e.g., one supplied as part of the named.root file that we need anyway). 
We're already set up to fetch keys from DNS, in fact, and anything done to
make that more secure fits very nicely. 

(Mind you, we have not been addressing the implementation details much
ourselves -- our management sees it as a separate problem, to be dealt
with by the BIND guys rather than by us, except insofar as we need to be
explicit about what we want.)

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

Re: ike and secure DNS

From: Bill Manning <bmanning@ISI.EDU>

Prev by Date: Re: ike and secure DNS
Next by Date: Re: ike and secure DNS
Prev by thread: Re: ike and secure DNS
Next by thread: Re: ike and secure DNS
Index(es):
- Main
- Thread