On Fri, 15 Jun 2012, Paul Hoffman wrote:
To date, there has be zero interest in the IPsec community for doing something DANE-style for IPsec.
I'm not sure what you mean with "DANE-style for IPsec" and "no interest". RFC-4025 with RFC-4322 is a "dane style ipsec" and far predates DANE. Both these documents need an update, and possibly a merge. RFC-4322 should be updated to only allow RFC-4025(bis) type DNS records. And section section 5, 9.1 and 9.2 need updating on requiring DNSSEC and hard/soft failure modes similar to DANE. I also believe that in RFC-4025, the gateway specification and their security impact also needs to be re-evaluated based on our experience with freeswan/openswan. And it probably needs to allow for other public key types based on draft-kivinen-ipsecme-oob-pubkey-00. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
