To:
Edward Lewis <lewis@tislabs.com>
cc:
dnssec@cafax.se
From:
Olaf Kolkman <OKolkman@ripe.net>
Date:
Tue, 17 Apr 2001 16:45:09 +0200
Delivery-Date:
Wed Apr 18 08:08:16 2001
In-reply-to:
Your message of Wed, 11 Apr 2001 15:21:11 EDT. <v03130315b6fa5af0964f@[10.33.10.145]>
Sender:
owner-dnssec@cafax.se
Subject:
Re: lwresd, tsig, and caching
Ed wrote: * B * app client<--------------->lwresd<------------->recursive server * localhost TSIG looks up and checks * crypto check here (...) * * What about apps that want to be involved in the security of the DNS lookups * - they would like to display the security of the answer, or say, specify a * secured TSIG/server to use inspite of configured servers. (As could be the * case with the IETF terminal room & DHCP.) My $0.02 During the IETF I would not trust a TSIG that is shared with 2k users. I would prefer to use a SIG(0) with my local only configured with the "public IETF resolver key" that is distributed via a off-band mechanism. So this is another variety: app client<--------------->lwresd<------------->recursive server localhost SIG(0) looks up and checks crypto check here Even for applications wanting to talk to a server it's better to use SIG(0) instead of TSIG. --Olaf ----------------------------------------------------- Olaf M. Kolkman | RIPE NCC ----------- | --------------- RIPE NCC | Phone: +31 20 535 4444 Singel 258 | Fax: +31 20 535 4445 1016 AB Amsterdam | http://www.ripe.net The Netherlands | OKolkman@ripe.net