[dnssec-deployment] Future applications?
Peter Koch
pk at DENIC.DE
Mon Jan 14 07:37:53 EST 2008
On Mon, Jan 14, 2008 at 01:10:47PM +0100, Olaf M. Kolkman wrote:
> And along the same lines of opportunistic key exchange, there is the
> IPSECKEY RR. RFC4025.
yes. And sice we're in repeat mode already, I'd like to remind everyone that
DNSSEC provides data origin authentication only. There's nothing in DNSSEC
that stricitly binds the RDATA (keying or fingerprint information) to the
owner name.
RRSIGs are not certificates, so there is no implicit or explicit liability
of the zone maintainer (or worse, one of the [TLD] registries involved)
for the correctness of the data. If this isn't kept in mind, we're just
about to hit the next road block.
-Peter
More information about the Dnssec-deployment
mailing list