James A. Donald wrote:
I was unaware of this.  So I googled for DNSSEC. Reading
the DNSSEC documents I found
: :    "In order to support the larger DNS message
: :    sizes that result from adding the DNSSEC RRs,
: :    DNSSEC also requires EDNS0 support ([RFC
: :    671]). "


: :    "its authentication keys can be authenticated
: :    by some trusted means out of band from the
: :    DNS protocol."

This does not sound workable to me.

this could be analogous or the same as the trusted certification authority authentication keys that are incorporated into browsers when they are distributed (to the extent that distributed certification authority authentication keys, that are authenticated out of band from the standard PKI process, appear to work, it could be possible that something similar might also work for DNS).

the specification of the root DNS servers could include specifying the associated authentication keys ... in much the same way that the distribution of the root CAs information include the distribution of the associated CA authentication keys.

my rfc index

select "Term (term->RFC#)" under "RFCs listed by" ... and then select "DNSSEC" in the acronym fastpath.

domain name system security  (DNSSEC )
    see also domain name system, domain name system extensions,
 4509 4470 4431 4398 4322 4310 4035 4034 4033 3845 3833 3755
 3658 3226 3225 3130 3110 3090 3008 3007 2931 2930 2845 2541
 2540 2539 2538 2537 2536 2535 2137 2065

in frames mode, clicking on the RFC number brings up the RFC summary in the lower frame. clicking on the ".txt=nnnn" field in the RFC summary retrieves the actual RFC.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to