[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] new draft -08



At Mon, 15 Dec 2003 15:15:50 -0500, Michael Richardson wrote:
> 
>     IESG> Bert Wijnen:
> 
>     IESG> Bigger issue:
>     IESG>
>     IESG> - The examples use the reverse DNS records to convey IPSECKEY record.
>     IESG> Does this have some unstated assumptions about the deployment of
>     IESG> IPSECKEY (e.g., to be usable, the participating nodes should record
>     IESG> the RRs in reverse records), or is this just a coincidence?
>     IESG> I note that the document does not discuss the deployment at all, but
>     IESG> that is probably intentional.
>     IESG> 
>     IESG> If there is no connection to the reverse records, I'd suggest
>     IESG> rewording at least 3 of the 5 examples to use e.g. "nodeX.example.com
>     IESG> IN IPSECKEY ..."; if there is a requirement for reverse records, this
>     IESG> issue needs to be explicitly discussed.. DNS deployment folks might
>     IESG> have something to say about that :-)
> 
>   Chairs. Reverse is clearly in scope here.
>   Can you discuss with Bert?

See "if there is a requirement for reverse records, this issue needs
to be explicitly discussed."

The issue is not whether or not IPSECKEY belongs in the reverse tree
(everyone on this list knows that it does, and Bert now knows too,
because I told him).  The issue is that the draft doesn't explain
this, it just assumes that the reader is already an expert on
opportunistic IPSEC and that this is therefore obvious.

Given that the reverse tree is, in general, notorious for bad
maintenance, Bert is correct that the doc should explain why stuffing
IPSECKEY RRs into the reverse tree is the right thing to do anyway.
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.