On Wed, 17 Feb 2010, Phillip Hallam-Baker wrote:
One mechanism that was unfortunately pushed asside as a result of the
fixation on end to end DNSSEC would be to for the resolver to use
DNSSEC (and other methods) to authenticate the data it receives and to
use some modification of TSIG to authenticate the communication
between client and resolver.
I don't think that has been pushed aside. There's not much interest in it
at the moment because the focus is on authoritative-to-recursive DNSSEC.
Maybe attention will turn to recursive-to-stub security once there is more
assurance that the recursive server's answers are authentic.
It would not take a great deal of effort to graft a Kerberos like scheme
on to effect key exchange.
Or use SIG(0).
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf