I'm sorry, but this is not related to DANE (nor was it last time you came shopping around).
I (of course) have no problem with folk reviewing it, just making it clear that it isn't a DANE thing... W Warren Kumari ------ Please excuse typing, etc -- This was sent from a device with a tiny keyboard. > On Sep 27, 2013, at 6:13 PM, "Hosnieh Rafiee" <[email protected]> wrote: > > Hello, > > I am looking for reviewers to review the > http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig draft. It deals > with the use of CGA (RFC 3972) or SSAS for authentication purposes during > various types of scenarios. This is truly possible when the authentication > is based on the source IP address. Everything in this authentication is done > "on the fly" and only once is there a need to configure the Servers. > Advantages: > - If the shared secret is compromised (which is true in TSIG, you won't need > to repeat the process of re-sharing the shared secret among the many hosts > that used the compromised shared secret) > - If for any reason the IP address of any nodes involved in authentication > is changed, then the other nodes will still be able to verify that it is > the same node > - It is both easier and preferable to use this approach to prove the address > ownership while at the same time performing source IP address > authentication. > - The nodes don't need to go through the chain of trusts because the magic > of CGA or SSAS works well. This means that if the other nodes are aware of > one node's real IP address then that is all the information the other nodes > need to identify this node. No matter how your node changes its IP address. > This draft explains how to easily handle this situation, automatically, > without the need for human intervention. > I am sure you will find it interesting. > > The different scenarios that are considered are: > - Authentication during FQDN > - Authentication during zone transfer > - Authentication of the resolvers in stub resolvers > - Authentication of root DNS servers to recursive DNS servers > > We also considered the scenario where the server doesn't support CGA or > SeND. The interesting thing about this draft is that you can use a CGA > script generator that I will provide and make available to everybody. Then > just manually set the IP address for the node that wants to use CGA-TSIG. > The CGA-TSIG implementation will thereafter processes the handling for all > the CGA parameters. > > This scenario is good for the future of the Internet where IPv6 is used. I > guess many DNS servers now support IPv6 as well as IPv4. > > I am looking forward to receiving your comments. > > Thank you, > Hosnieh > P.S. So if you'll review mine i'll review yours.. Deal??? :-) > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
