Re: ike and secure DNS

[Derek Atkins <warlord@mit.edu>]

Ahh, but I want forward delegation as much as reverse delegation.  I
want to be able to sign ihtfp.org. as much as I want to sign
200.107.204.in-addr.arpa.  NSI is the registrar for the former, and
ARIN is the the registrar for the latter.

-derek

Bill Manning <bmanning@ISI.EDU> writes:

> % Perhaps a small change to what it means to "sign" a zone?  If the "root"
> % could sign my NS records (which "they" own), and my key record (which "I"
> % own, but supply to them the same way I supply my NS records), then this
> % works.
> % 
> % But I doubt NSI is willing to accept a KEY record or sign it.  Let alone
> % sign my NS records.
> % 
> % -derek
> 
> Ah, but NSI doesn't have that token so that issue is a peruvian herring.
> For a working system, ICANN/IANA would sign "root" and the in-addr.arpa zone(s).Then, say MIT, would sign 18.in-addr.arpa.  If you were delegated a section
> of that tree, say 167.49.18.in-addr.arpa., you would need MIT to accept your
> key.  
> 
> And in the case where ICANN is tied up in legal/business issues, MIT can
> self-sign.  Given the nature of DNSSEC, we are  able to swap
> keys in some OOB mannor to enable the DNSSEC signed subzones we operate
> while our parents futz about with other issues. e.g. the tree does not
> have to be complete.
> 
> --bill

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

---

Follow-Ups:

• Re: ike and secure DNS
• From: Bill Manning <bmanning@ISI.EDU>

References:

• Re: ike and secure DNS
• From: Bill Manning <bmanning@ISI.EDU>

---

• Prev by Date: Re: ike and secure DNS
• Next by Date: Re: ike and secure DNS
• Prev by thread: Re: ike and secure DNS
• Next by thread: Re: ike and secure DNS
• Index(es):
  • Main
  • Thread