To:
George Michaelson <ggm@apnic.net>
Cc:
Edward Lewis <edlewis@arin.net>, Michael Richardson <mcr@sandelman.ottawa.on.ca>, dnsop@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Wed, 19 Mar 2003 14:11:36 -0800
In-Reply-To:
<20030320051200.4f398ad8.ggm@apnic.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Radical Surgery proposal: stop doing reverse for IPv6.
At 5:12 +1000 3/20/03, George Michaelson wrote: >As another comment here, about the only thing you can take from the DNS is the >->name<- of a key, if the use is to be applied outside of DNS as data in >itself. This came up in PKIX, and got sat on pretty quick. This isn't 100% accurate. E.g., certificates can be in the DNS' CERT RR and they can contain public keys. The reason this is acceptable is that the certificates are "secured" via the certification system's defined means. The SIKED BOF, of some time ago, proposed to define a generic way to put application keys into DNS. The resounding result was that finding a generic way would be a, umm, titanic waste of time. IPSECKEY WG is chartered (more or less) to find a specific way to put one application's keys into DNS. (In this instance, the application is IPsec, and yes, you can debate if it is an application, but...) >Unless I mis-read the Security directorate black hat view, its not permissable >to use DNSSEC keys to secure any other aspect of the Internet, apart from the >DNS itself. The fine hair to split here is that the DNS' KEY RR record is only to be used for DNSSEC keys. The reason is that the KEY RR engenders special processing that is not appropriate for non-DNSSEC keys. The discussion over RFC 3445 went to great lengths to say that the restrictions that KEY RR to DNSSEC did NOT mean that application keys could not/never be in the DNS, hence the IPsec key effort. >So we'd be talking about an RR identifying a key, to be found in some other >context specific key distribution framework. Right? I'll defer to Michael on this, I haven't been following IPSECKEY recently enough to answer. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.