>>>>> On Wed, 24 Jul 2002 18:38:45 -0700,
>>>>> Ted Lemon <[EMAIL PROTECTED]> said:
>> So more accurately, you meant like this?
>>
>> NI query
>> nodeinfo client ------------------> the target
>> with some private key
>> <------------------
>> NI response signed
>> by the private key
> Yes, where the name in the response is a valid domain name, and when the
> client looks for a KEY record on that domain name, it finds a public key
> that can be used to successfully validate the signature on the response.
okay, so I guess you and itojun (attached) were talking about
different things.
Returning to your idea, it sounds attractive. However, I'm not sure
if this approach is applicable widely. In particular, I'm not sure if
"edge devices" such as personal laptops, PDAs, cell phones..., for
which the nodeinfo-revlookup would be most useful, have private keys
authorized in the DNSSEC framework.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--- Begin Message ---
>> i may be asking a stupid question, but where do you get that private
>> key from? for instance, if a node responds with "www.ietf.org",
>> we could get a public key for www.ietf.org by KEY RR query, but
>> not the private key (it's on ietf.org authoritative server, and
>> is not accessible from outside).
>Presumably the device answering the ICMP request is the one named,
>and therefore knows the private key associated with its name.
no, the device answering ICMPv6 request is not named.
with the "type ipv6nodeinfo" directive, named will work like this:
- accept DNS query from a DNS client resolver.
- send NI query to the target address.
- receive NI response from the target.
- send DNS response to the original DNS client resolver.
since the NI query target can return arbitrary FQDN (like
"www.ietf.org") named does not have the private key.
client resolver ---------> named -------> the target
DNS query NI query
client resolver <--------- named <------- the target
DNS response NI response
itojun
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
--- End Message ---
