To:
Derek Atkins <warlord@MIT.EDU>
cc:
dnssec@cafax.se
From:
Roy Arends <roy@logmess.com>
Date:
Mon, 10 May 2004 19:30:42 +0200 (CEST)
In-Reply-To:
<sjm65b46wcz.fsf@dogbert.ihtfp.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
On Mon, 10 May 2004, Derek Atkins wrote: > [resending because I'm not subbed from my work account -derek] > > Miek Gieben <miekg@atoom.net> writes: > > > So basically it comes down to answering the question: > > > > * Must applications know the security status of DNS answers? * > > Yes. > > Let me give an example. Assume SSH starts deploying server keys in DNS > to help solve the "first contact" problem. The application could decide > to provide different messages to the user based on whether the answer > is secured. An unsecured SSHKey record would have little additional > trust than the first-contact assertion. Whereas a signed record could > be more trusted. The App should be allowed to make the distinction. > > I also think the app should know the difference between: > > - signed, signature is good. > - signed, but the signature expired. > - signed, but the signature did not validate. > - unsigned > - unsigned, but should be signed > > Am I missing cases here? - signed, but the signature is not (yet) incepted Then there is the existence stuff: not existent, signed not existent, unsigned wildcard, signed wildcard, unsigned Roy