To:
dnssec@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
Mon, 10 May 2004 13:11:08 -0400
In-Reply-To:
<20040510132357.GA28493@atoom.net> (Miek Gieben's message of"Mon, 10 May 2004 15:23:57 +0200")
Sender:
owner-dnssec@cafax.se
User-Agent:
Gnus/5.1003 (Gnus v5.10.3) Emacs/21.1 (gnu/linux)
Subject:
Re: dnssec: resolver - application communication
[resending because I'm not subbed from my work account -derek]
Miek Gieben <miekg@atoom.net> writes:
> So basically it comes down to answering the question:
>
> * Must applications know the security status of DNS answers? *
Yes.
Let me give an example. Assume SSH starts deploying server keys in DNS
to help solve the "first contact" problem. The application could decide
to provide different messages to the user based on whether the answer
is secured. An unsecured SSHKey record would have little additional
trust than the first-contact assertion. Whereas a signed record could
be more trusted. The App should be allowed to make the distinction.
I also think the app should know the difference between:
- signed, signature is good.
- signed, but the signature expired.
- signed, but the signature did not validate.
- unsigned
- unsigned, but should be signed
Am I missing cases here?
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant