To:
Miek Gieben <miekg@atoom.net>
Cc:
dnssec@cafax.se
From:
Jakob Schlyter <jakob@crt.se>
Date:
Thu, 19 Dec 2002 10:39:41 +0100 (MET)
In-Reply-To:
<20021218204643.GB1756@atoom.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec resolver
On Wed, 18 Dec 2002, Miek Gieben wrote: > I've made some improvements in the code. The most important change is > that there is a resolvsec.conf. This file lists all the secure entry > points together with their nameserver(s). I've made the decision to use > DS record in this file in stead of key records. The first reason is that > I think DS records are somewhat easier to handle than key records. The > second, related, reason is that this makes the parsing of the file a lot > simpler. I've just played around some with the code, it is really useful for debugging. nice work! I also agree with the decision to use ds records for trust and hope that our friends at ISC will implement this in bind9 as well - it would be much easier when configuring the resolvers. combined with a good pseudo-language generator (such as bubblebabble used by ssh) out-of-band verification is also easier. example: 9d58f48fe8675d9b52021daa47cd2a35 ... becomes ... xoced-kyvak-fydul-rorer-robat-lyhav-meran-socok-laram-robog-coxux jakob -- Jakob Schlyter <jakob@crt.se> Network Analyst Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology