[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] the -01 draft




>>>>> "Jakob" == Jakob Schlyter <jakob@crt.se> writes:
    Jakob> I think the resolution process should be stated.

    Jakob> in draft-ietf-secsh-dns we wrote:

    Jakob>   "Clients that do not validate the DNSSEC signatures themselves
    Jakob>   MUST 
    Jakob>    use a secure transport, e.g. TSIG [8], SIG(0) [9] or IPsec [7],
    Jakob>    between themselves and the entity performing the signature
    Jakob>    validation."

  I'd rather write:
      Clients that do not validate the DNSSEC signatures themselves
      MUST communicate with a recursive resolver that does DNSSEC resolution
      using either a secure channel: local to the host, or via a TSIG
      or SIG(0) with another host.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.