[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike and secure DNS

To: warlord@mit.edu (Derek Atkins)
Subject: Re: ike and secure DNS
From: Bill Manning <bmanning@ISI.EDU>
Date: Wed, 11 Oct 2000 08:17:27 -0700 (PDT)
Cc: smb@research.att.com (Steven M. Bellovin), bmanning@ISI.EDU (Bill Manning), hugo@ee.technion.ac.il (Hugo Krawczyk), henry@spsystems.net (Henry Spencer), ipsec@lists.tislabs.com (ipsec)
In-Reply-To: <sjm8zrvju58.fsf@indiana.mit.edu> from "Derek Atkins" at Oct 11, 2000 11:05:07 AM
Sender: owner-ipsec@lists.tislabs.com

% Perhaps a small change to what it means to "sign" a zone?  If the "root"
% could sign my NS records (which "they" own), and my key record (which "I"
% own, but supply to them the same way I supply my NS records), then this
% works.
% 
% But I doubt NSI is willing to accept a KEY record or sign it.  Let alone
% sign my NS records.
% 
% -derek

Ah, but NSI doesn't have that token so that issue is a peruvian herring.
For a working system, ICANN/IANA would sign "root" and the in-addr.arpa zone(s).Then, say MIT, would sign 18.in-addr.arpa.  If you were delegated a section
of that tree, say 167.49.18.in-addr.arpa., you would need MIT to accept your
key.  

And in the case where ICANN is tied up in legal/business issues, MIT can
self-sign.  Given the nature of DNSSEC, we are  able to swap
keys in some OOB mannor to enable the DNSSEC signed subzones we operate
while our parents futz about with other issues. e.g. the tree does not
have to be complete.

--bill

Follow-Ups:

Re: ike and secure DNS

From: Derek Atkins <warlord@mit.edu>

References:

Re: ike and secure DNS

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: ike and secure DNS
Next by Date: Re: ike and secure DNS
Prev by thread: Re: ike and secure DNS
Next by thread: Re: ike and secure DNS
Index(es):
- Main
- Thread