To:
Roy Arends <roy@logmess.com>
Cc:
dnssec@cafax.se
From:
David Blacka <davidb@verisignlabs.com>
Date:
Mon, 10 May 2004 14:04:22 -0400
Content-Disposition:
inline
In-Reply-To:
<Pine.LNX.4.58.0405101927030.10244@elektron.atoom.net>
Sender:
owner-dnssec@cafax.se
User-Agent:
KMail/1.6.2
Subject:
Re: dnssec: resolver - application communication
On Monday 10 May 2004 1:30 pm, Roy Arends wrote: > On Mon, 10 May 2004, Derek Atkins wrote: > > [resending because I'm not subbed from my work account -derek] > > > > Miek Gieben <miekg@atoom.net> writes: > > > So basically it comes down to answering the question: > > > > > > * Must applications know the security status of DNS answers? * > > > > Yes. > > > > Let me give an example. Assume SSH starts deploying server keys in DNS > > to help solve the "first contact" problem. The application could decide > > to provide different messages to the user based on whether the answer > > is secured. An unsecured SSHKey record would have little additional > > trust than the first-contact assertion. Whereas a signed record could > > be more trusted. The App should be allowed to make the distinction. > > > > I also think the app should know the difference between: > > > > - signed, signature is good. > > - signed, but the signature expired. > > - signed, but the signature did not validate. > > - unsigned > > - unsigned, but should be signed > > > > Am I missing cases here? > > - signed, but the signature is not (yet) incepted > > Then there is the existence stuff: > > not existent, signed > not existent, unsigned > wildcard, signed > wildcard, unsigned How about: signed, cannot establish chain of trust, and should be able to. signed, cannot establish chain of trust, and shouldn't be able to (no anchor). there are probably a few more. -- David Blacka <davidb@verisignlabs.com> Sr. Engineer VeriSign Applied Research