[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] the -01 draft



Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:

>>>>>> "Jakob" == Jakob Schlyter <jakob@crt.se> writes:
>     Jakob> I think the resolution process should be stated.
>
>     Jakob> in draft-ietf-secsh-dns we wrote:
>
>     Jakob>   "Clients that do not validate the DNSSEC signatures themselves
>     Jakob>   MUST 
>     Jakob>    use a secure transport, e.g. TSIG [8], SIG(0) [9] or IPsec [7],
>     Jakob>    between themselves and the entity performing the signature
>     Jakob>    validation."
>
>   I'd rather write:
>       Clients that do not validate the DNSSEC signatures themselves
>       MUST communicate with a recursive resolver that does DNSSEC resolution
>       using either a secure channel: local to the host, or via a TSIG
>       or SIG(0) with another host.

This text imply that DNSSEC is required for IPSECKEY to work, which I
believe would be a mistake.

I believe IPSECKEY is useful without DNSSEC, just as long as the data
is properly secured.

DNSSEC may have been a hidden assumption in the mind set of people
related to this work, but I see no technical justification for it.

Preventing IPSECKEY to work with secure DNS systems that aren't based
on DNSSEC would be unfortunate.

I think Jakob's proposed text is better.

-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.