[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IPSECKEY] the -01 draft
Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
>>>>>> "Jakob" == Jakob Schlyter <jakob@crt.se> writes:
> Jakob> I think the resolution process should be stated.
>
> Jakob> in draft-ietf-secsh-dns we wrote:
>
> Jakob> "Clients that do not validate the DNSSEC signatures themselves
> Jakob> MUST
> Jakob> use a secure transport, e.g. TSIG [8], SIG(0) [9] or IPsec [7],
> Jakob> between themselves and the entity performing the signature
> Jakob> validation."
>
> I'd rather write:
> Clients that do not validate the DNSSEC signatures themselves
> MUST communicate with a recursive resolver that does DNSSEC resolution
> using either a secure channel: local to the host, or via a TSIG
> or SIG(0) with another host.
This text imply that DNSSEC is required for IPSECKEY to work, which I
believe would be a mistake.
I believe IPSECKEY is useful without DNSSEC, just as long as the data
is properly secured.
DNSSEC may have been a hidden assumption in the mind set of people
related to this work, but I see no technical justification for it.
Preventing IPSECKEY to work with secure DNS systems that aren't based
on DNSSEC would be unfortunate.
I think Jakob's proposed text is better.
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.