[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ike and secure DNS
Ahh, but I want forward delegation as much as reverse delegation. I
want to be able to sign ihtfp.org. as much as I want to sign
200.107.204.in-addr.arpa. NSI is the registrar for the former, and
ARIN is the the registrar for the latter.
-derek
Bill Manning <bmanning@ISI.EDU> writes:
> % Perhaps a small change to what it means to "sign" a zone? If the "root"
> % could sign my NS records (which "they" own), and my key record (which "I"
> % own, but supply to them the same way I supply my NS records), then this
> % works.
> %
> % But I doubt NSI is willing to accept a KEY record or sign it. Let alone
> % sign my NS records.
> %
> % -derek
>
> Ah, but NSI doesn't have that token so that issue is a peruvian herring.
> For a working system, ICANN/IANA would sign "root" and the in-addr.arpa zone(s).Then, say MIT, would sign 18.in-addr.arpa. If you were delegated a section
> of that tree, say 167.49.18.in-addr.arpa., you would need MIT to accept your
> key.
>
> And in the case where ICANN is tied up in legal/business issues, MIT can
> self-sign. Given the nature of DNSSEC, we are able to swap
> keys in some OOB mannor to enable the DNSSEC signed subzones we operate
> while our parents futz about with other issues. e.g. the tree does not
> have to be complete.
>
> --bill
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: