DNSSEC is still evolving, it isn't deployed yet, and the right mailing
lists to discuss it are the DNSEXT and DNSOP working groups. However,
to give a really brief answer, if your local revolver is unwilling to
do the full blown DNSSEC cryptography and just wants to trust that the
local nameserver is doing it right (a reasonable scanario), it would
likely secure its transactions with that namesever with TSIG [RFC
2845]. And one way in which TSIG keying material could be set up is
TKEY [RFC 2940].
Donald
From: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
Message-Id:
<200012190358(_dot_)eBJ3w6CW226720(_at_)black-ice(_dot_)cc(_dot_)vt(_dot_)edu>
To: "Donald E. Eastlake 3rd" <dee3(_at_)torque(_dot_)pothole(_dot_)com>
Cc: ietf(_at_)ietf(_dot_)org
In-Reply-To: Your message of "Mon, 18 Dec 2000 22:54:47 EST."
<200012190354(_dot_)WAA27314(_at_)torque(_dot_)pothole(_dot_)com>
References: <200012190354(_dot_)WAA27314(_at_)torque(_dot_)pothole(_dot_)com>
On Mon, 18 Dec 2000 22:54:47 EST, "Donald E. Eastlake 3rd"
<dee3(_at_)torque(_dot_)pothole(_dot_)com>
said:
If DNSSEC were deployed, I see no reason why SAs could not be
bound to domain names.
I admit to not having read the DNSSEC RFCs. I however do hope that they
are immune to the same sort of attacks against SSL and SSHv1 that are currently
getting a lot of publicity.
Anybody got a pointer to where in the RFC it discusses how the resolver on
my workstation initially verifies that it's not being man-in-the-middle'ed
from a spoof of our local nameserver?
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech