Hm. Ok, good news. Makes the job a wee bit easier. On May 11, 2016 10:57 PM, "Mark Andrews" <[email protected]> wrote:
In message <CAPt1N1nOFM5cQd+WXTtJR9-Gg= [email protected]>, Ted Lemon writes: > You don't even need SIG(0) to get the level of security that mDNS provides. > And SIG(0) doesn't work right now, because it relies on an older version > of DNSSEC keys. Remember the flag day? DNSSEC depends on DNSKEY as of RFC 403[345] SIG(0) depends on KEY. The flag day seperated DNSSEC from other uses of KEY. It did not say "stop using KEY for everything" just for DNSSEC. Mark > On Wed, May 11, 2016 at 8:33 PM, Mark Andrews <[email protected]> wrote: > > > > > SIG(0) works fine for DDNS once you have a KEY record installed in > > the DNS. > > > > KEY can be installed on a "add if name does not exist basis" for > > forward zone and add if TCP self (owner name is the matching > > in-addr.arpa/ip6.arpa name of the TCP source address) is true for > > the reverse zones. This requires policy enforcement in the server > > but is do able. nameservers already have policy rules (e.g. tcp-self > > has existed for years in named). Adding more is not a hard thing > > to do. > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > > > --001a11c26b2ae5fabf05329b6f8a > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr">You don't even need SIG(0) to get the level of securit= > y that mDNS provides. =C2=A0 And SIG(0) doesn't work right now, because= > it relies on an older version of DNSSEC keys. =C2=A0 Remember the flag day= > ?</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, Ma= > y 11, 2016 at 8:33 PM, Mark Andrews <span dir=3D"ltr"><<a href=3D"mailto= > :[email protected]" target=3D"_blank">[email protected]</a>></span> wrote:<br><b= > lockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px = > #ccc solid;padding-left:1ex"><br> > SIG(0) works fine for DDNS once you have a KEY record installed in<br> > the DNS.<br> > <br> > KEY can be installed on a "add if name does not exist basis" for<= > br> > forward zone and add if TCP self (owner name is the matching<br> > in-addr.arpa/ip6.arpa name of the TCP source address) is true for<br> > the reverse zones.=C2=A0 This requires policy enforcement in the server<br> > but is do able.=C2=A0 nameservers already have policy rules (e.g. tcp-self<= > br> > has existed for years in named).=C2=A0 Adding more is not a hard thing<br> > to do.<br> > <span class=3D"HOEnZb"><font color=3D"#888888"><br> > --<br> > Mark Andrews, ISC<br> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br> > PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2= > 9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= > =A0INTERNET: <a href=3D"mailto:[email protected]";>[email protected]</a><br> > </font></span></blockquote></div><br></div> > > --001a11c26b2ae5fabf05329b6f8a-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
