To:
Edward Lewis <lewis@tislabs.com>
cc:
dnssec@cafax.se
From:
Olaf Kolkman <OKolkman@ripe.net>
Date:
Tue, 17 Apr 2001 16:45:09 +0200
Delivery-Date:
Wed Apr 18 08:08:16 2001
In-reply-to:
Your message of Wed, 11 Apr 2001 15:21:11 EDT. <v03130315b6fa5af0964f@[10.33.10.145]>
Sender:
owner-dnssec@cafax.se
Subject:
Re: lwresd, tsig, and caching
Ed wrote:
* B
* app client<--------------->lwresd<------------->recursive server
* localhost TSIG looks up and checks
* crypto check here
(...)
*
* What about apps that want to be involved in the security of the DNS lookups
* - they would like to display the security of the answer, or say, specify a
* secured TSIG/server to use inspite of configured servers. (As could be the
* case with the IETF terminal room & DHCP.)
My $0.02
During the IETF I would not trust a TSIG that is shared with 2k
users. I would prefer to use a SIG(0) with my local only configured
with the "public IETF resolver key" that is distributed via a off-band
mechanism.
So this is another variety:
app client<--------------->lwresd<------------->recursive server
localhost SIG(0) looks up and checks
crypto check here
Even for applications wanting to talk to a server it's better to use
SIG(0) instead of TSIG.
--Olaf
-----------------------------------------------------
Olaf M. Kolkman | RIPE NCC
----------- | ---------------
RIPE NCC | Phone: +31 20 535 4444
Singel 258 | Fax: +31 20 535 4445
1016 AB Amsterdam | http://www.ripe.net
The Netherlands | OKolkman@ripe.net