[dnssec-deployment] Future applications?
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Jan 14 07:53:20 EST 2008
On Mon, Jan 14, 2008 at 01:37:53PM +0100, Peter Koch wrote:
> On Mon, Jan 14, 2008 at 01:10:47PM +0100, Olaf M. Kolkman wrote:
>
> > And along the same lines of opportunistic key exchange, there is the
> > IPSECKEY RR. RFC4025.
>
> yes. And sice we're in repeat mode already, I'd like to remind everyone that
> DNSSEC provides data origin authentication only. There's nothing in DNSSEC
> that stricitly binds the RDATA (keying or fingerprint information) to the
> owner name.
> RRSIGs are not certificates, so there is no implicit or explicit liability
> of the zone maintainer (or worse, one of the [TLD] registries involved)
> for the correctness of the data. If this isn't kept in mind, we're just
> about to hit the next road block.
>
> -Peter
>
true enough - but having a user supplied CERT as part of an RRSIG
that is in a validated chain just might be useful.
the CERT, presuming non-self-signed, is another channel for verification
of the bindings.
for my edification, who else, besides Simon Josefsson and myself are
using CERT rrs or IPSECKEY rrs in regular use?
--bill
More information about the Dnssec-deployment
mailing list