> as long as secure channel is maintained between host and resolver, > it does not make difference, no? do you think host would configure > secure channel to untrustworthy resolver?
The document makes a reference to TKEY as a way to create keys for TSIG. I certainly don't understand how this works in practice - does it mean essentially an anonymous DH exchange? If so the host might think it has a secure channel (using TSIG) with a trusted party when in fact it has a secure channel with a recursive resolver that it shouldn't trust. Has anybody implemented this stuff with TKEY + TSIG? Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
