[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ike and secure DNS

To: "Steven M. Bellovin" <smb@research.att.com>
Subject: Re: ike and secure DNS
From: Henry Spencer <henry@spsystems.net>
Date: Wed, 11 Oct 2000 11:26:49 -0400 (EDT)
cc: ipsec <ipsec@lists.tislabs.com>
In-Reply-To: <20001011151027.2DFE135DC2@smb.research.att.com>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 11 Oct 2000, Steven M. Bellovin wrote:
> My point is that the records of who owns (or has the delegation for, if 
> you prefer) address blocks are not very good.  Why sign something that 
> isn't correct to start with?

I think there's a hierarchy issue here.  Remember that delegation is done
one level at a time, *not* all at once, and signing can be done the same
way.  What we care about is not whether we can consult some central source
and learn who owns 209.47.149.227, but whether the owner of 209.47.149/24
knows how it's divided up, because *he* (not the DNS root administrators)
is the one who's going to have to sign the key for the next level down. 
Ownership needs to be positively known only locally, not globally. 

Where there may still be a problem is with all the chunks of address space
that were allocated globally in the old days.  I think the answer for them
is simply that if you can't convincingly establish ownership, you can't
get your key signed.  There is no requirement that we be able to sign the
whole tree, every last little branch, right at the start.

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

Re: ike and secure DNS

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: Re: ike and secure DNS
Next by Date: Re: ike and secure DNS
Prev by thread: Re: ike and secure DNS
Next by thread: Re: ike and secure DNS
Index(es):
- Main
- Thread