Stephane Bortzmeyer <[email protected]> wrote: > On Sat, Feb 15, 2014 at 03:40:48PM +0000, > Tony Finch <[email protected]> wrote > a message of 84 lines which said: > > > A DANE-like approach might work for authoritative servers. > > It is mentioned in the draft but it raises an interesting > chicken-and-egg problem when you want to secure DNS with info found in > the DNS.
Very interesting :-) The resolver needs to find out that an auth server supports TLS before it sends a query. This implies that the information needs to be part of the referral. It would be wrong to shoe-horn it into the DS RRset (e.g. by adding semantics to one of the algorithm fields) since DS records relate to the zone not to the name servers. So it should go into the NS RRset - but referral NS records aren't signed! Maybe the resolver could go and ask elsewhere. This could be quite plausible for out-of-zone name servers, but it does not help for in-zone server names. Or use the reverse DNS? No palatable options that I can see :-/ Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Malin, Hebrides, Bailey: Northwest 7 to severe gale 9 decreasing 4 or 5, occasionally variable 3 later. Very rough or high, becoming rough later. Showers, squally at first. Moderate or poor becoming good. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
