[dnssec-deployment] software pieces
Scott Rose
scottr at nist.gov
Wed Jan 19 13:27:32 EST 2005
I skimmed the Approaches for Identifying Software Pieces, and I have a few
questions about some of the items. I tried to snip out the sections that
seem unclear to me.
> -----Original Message-----
> From: DNSSEC deployment [mailto:dnssec-deployment at shinkuro.com]On Behalf
> Of Suresh Krishnaswamy
>
snip
> IIb) Proof-Of-Concept Applications
>
> 1. Mail Transfer Agent
> - Signed SPF records to guard against spoofed values
> - Terminate connections before spam is sent
>
Why SPF RRs and not IPSECKEY or SSH key hashes which have also been
introduced into the DNS? Or even CERT RRs. SPF seems to still be in a
state of flux at the moment.
> 2. Web Browser
> - User interface for DNSSEC
> - Obtain âbuy-inâfrom OS vendors
>
Even the simple DNS hijack demo SPARTA has could be used as a POC
application of DNSSEC.
> IIc) Zone Maintenance
>
>
> 4. Last-hop security tools
> - Secure-channel construction tools
I'm unsure what "secure-channel construction tools" mean. Would this mean
extending the DNS protocol have channel security?
>
> IV) Software pieces using Approach 2
>
> - Break the DNSSEC process into a number of
> procedural flows
> - Nineteen flows had been identified earlier
> - Lookup
> - Registration
> - Enterprise Delegation
What does this mean? Wouldn't "Enterprise Delegation" fit in with Zone file
maintenance or the registry flows? Or is it different?
> - Trusted key configuration
> - Zone Transfer
> - Zone maintenance
> - ZSK Roll-over
> - KSK Roll-over
> - Root Zone Setup/Signing
> - Root Zone Signing Key Change
> - Root Key Signing Key Change
> - Registrant Change
> - Registrar Change
> - Registry Change
> - TLD delegation cycle
> - TLD zone maintenance
> - TLD key rollover
> - Inverse tree procedures
> - Trust anchor distribution (inline, DLV etc)
>
>
Scott
****************************************
Scott Rose
Adv. Network Tech. Div., NIST
+1 301-975-8439
http://www-x.antd.nist.gov/dnssec/
****************************************
More information about the Dnssec-deployment
mailing list