One of the things that I was thinking about years ago when DNSSEC was young, and mDNS was first talked about was using mDNS to exchange DNSSEC chains for FQDNs.
So, you and I, sitting in a meadow (I always think about Bloom County... in this context) change use mDNS to find each other, and then, I can give you an additional area like this: . 172800 IN DNSKEY 256 3 8 AwEA... gov. 86400 IN DNSKEY 256 3 7 AQO+tGAvoICmi... whitehouse.gov. 7200 IN DNSKEY 257 3 7 Av//sEnVpZw40... billthecat.whitehouse.gov. 60 IN DNSKEY 257 3 7 FOOBAR which would permit you to validate who I am, even though neither of have connectivity at the time.. I would cache my DNSSEC path, and of course, we each would already have the root DNSSEC key. (no different than how PKIX works...) I see signposts as being additional local trust anchors that can be used. -- Michael Richardson <[email protected]>, Sandelman Software Works
pgpCs31dy6zN7.pgp
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
