DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Olafur Gudmundsson <ogud@ogud.com>
Cc: dnssec@cafax.se
From: Edward Lewis <lewis@tislabs.com>
Date: Wed, 13 Jun 2001 15:20:54 -0400
Delivery-Date: Thu Jun 14 07:44:58 2001
In-Reply-To: <5.1.0.14.0.20010612093628.04d4fc30@localhost>
Sender: owner-dnssec@cafax.se
Subject: Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt

One problem with the DK(EY) approach is that is doubles the number of
cryptographic checks a resolver needs to perform to verify data.

I also think that altering the key publication is missing the true problem.
The problem lies in the SIG record.  It's the mismatch of the SIG record's
generator (the parent) from where the apex is (the child) that is causing
the problem.

So far we've been concentrating on the TLD/SLD interface.  What about the
lower levels, where the authoritative server sets may overlap?  Would
DK(EY) benefit those administrations in a way that offsets the cost of the
change?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.

References:
- Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt
  - From: Olaf Kolkman <OKolkman@ripe.net>
- Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt
  - From: Olafur Gudmundsson <ogud@ogud.com>
- Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt
  - From: Olafur Gudmundsson <ogud@ogud.com>

Prev by Date: Re: Verisign's opt-in twist
Next by Date: Re: Verisign's opt-in twist
Prev by thread: Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt
Next by thread: Keyfoot prints and BIND versions
Index(es):
- Date
- Thread

Home | Date list | Subject list