On Fri, Jun 22, 2018 at 12:05 PM Tom Pusateri <pusat...@bangj.com> wrote:
> What’s the point of using DNS to look up a KEY RR to verify a signature if > you can’t trust the KEY? The KEY resides in the senders zone so no > relationship with a resolver will help you here. > Yeah, this is a limitation in the SIG(0) spec as currently written, that I don't think needed to be there. If we consider the functionality of SIG(0) to be essentially a public key version of TSIG, then it should be possible to support a mode of operation where the key material is verified and pre-configured out-of-band, as is commonly the case with TSIG. If I were implementing SIG(0), I would have supported that. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
