In message
<200811140742(_dot_)mAE7gJNn062219(_at_)drugs(_dot_)dv(_dot_)isc(_dot_)org>,
Mark Andrews writes:
In message
<alpine(_dot_)LRH(_dot_)2(_dot_)00(_dot_)0811140934240(_dot_)9364(_at_)netcore(_dot_)fi>,
Pekka Savola write
s:
On Fri, 14 Nov 2008, Mark Andrews wrote:
How does an application do "accept if signed and validated by DNSSEC"?
You validate the CERT RRset using the techniques in RFC
4033, 4034 and 4035. If the answer is "secure" then it was
signed and validated. You the match offered cert to the CERT
RRs using the information from RFC 4398.
Do you need more detail or is that enough guidance?
I was interested in more detail, specifically, are there application
interfaces an application could use, or every app need to implement
validation using 4033-5 techniques (a lot of work, and most would
probably do it wrong)?
There are a number of libraries available which can do
dnssec validation.
And if you want to off load the validation you can used
AD + TSIG.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET:
Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf