[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] misc



>     Jean-Jacques> Is anyone aware of any informational documents or articles
>     Jean-Jacques> about considerations on the use of keys in the DNS system,
>     Jean-Jacques> from the point of view of
>     Jean-Jacques> replication/caching/revocation/propagation/...  and some
> 
>   We have thought about it a lot, but I'm not sure what you are asking for.

P. Hallam-Baker raised interesting points in his Dec.16 mail about DNS
linked PKI. These sets some of the limits of what services linked to
security we can expect DNS to provide. Publishing ipseckey rr, even with
the use of DNSSEC will never end to favorize a kind of a world wide PKI
scheme. These rr are interesting, though, even if key validation is not
possible or if an offline scheme is needed.

Ipseckey rr draft does not give recommendations about the use of such
an rr (and it is not it's purpose anyway), and both DNS and corporate
security may suffer from it's incorrect use. Thus, information is needed
about the specificities of this system (because I believe it is more
specific than common Directory/PKI schemes). A document should explain:
- limits of PKI linking to DNS, with the scope / namezone of validation,
the meaning of validation and of no-validation here.
- key rr revocation pb, rr propagation, ...
- the possible correlation between the lifetime of a record and the
  lifetime of a public key.
- solving contradictions (where two DNS caches does not answer identic
key rr for a same id. This may not be an issue, but some others may
appear from replication and caching, and of course from corrupting
players).
- May dynamic dns, dns notify have consequences on the use of these rr ?
- Stupid locks to avoid: getting the key of the dns through the dns in
order to query the dns. This is not a problem when it is possible to
revert to plain text, but this is a policy consideration all users of
key rr may not have. May be there are other stupid locks for zone
transfert, etc.

I don't say that such a document should be provided by an international
organisation or a wg. This may be the responsibility of a software
manual. I only ask if such a document is available. May be there had
been studies about some of the previous points with DNSSEC ?

--
Jean-Jacques Puig
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.