[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ike and secure DNS
Baby steps... :)
We'll get there. I'm mostly concerned w/ the IP delegations right now.
NSI is active in this area, perhaps more so since the Verisign buyout.
ARIN is less so, but with the recent mgmt change there, I have more
hope that ARIN too, will embrace DNSSEC.
%
% Ahh, but I want forward delegation as much as reverse delegation. I
% want to be able to sign ihtfp.org. as much as I want to sign
% 200.107.204.in-addr.arpa. NSI is the registrar for the former, and
% ARIN is the the registrar for the latter.
%
% -derek
%
% Bill Manning <bmanning@ISI.EDU> writes:
%
% > % Perhaps a small change to what it means to "sign" a zone? If the "root"
% > % could sign my NS records (which "they" own), and my key record (which "I"
% > % own, but supply to them the same way I supply my NS records), then this
% > % works.
% > %
% > % But I doubt NSI is willing to accept a KEY record or sign it. Let alone
% > % sign my NS records.
% > %
% > % -derek
% >
% > Ah, but NSI doesn't have that token so that issue is a peruvian herring.
% > For a working system, ICANN/IANA would sign "root" and the in-addr.arpa zone(s).Then, say MIT, would sign 18.in-addr.arpa. If you were delegated a section
% > of that tree, say 167.49.18.in-addr.arpa., you would need MIT to accept your
% > key.
% >
% > And in the case where ICANN is tied up in legal/business issues, MIT can
% > self-sign. Given the nature of DNSSEC, we are able to swap
% > keys in some OOB mannor to enable the DNSSEC signed subzones we operate
% > while our parents futz about with other issues. e.g. the tree does not
% > have to be complete.
% >
% > --bill
%
% --
% Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
% Member, MIT Student Information Processing Board (SIPB)
% URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
% warlord@MIT.EDU PGP key available
%
--
--bill
References: