Re: [DNSOP] dns data exchanged between host and local dns-sever
On Sun, Apr 26, 2009 at 01:13:37PM -0500, Ted Lemon ted.le...@nominum.com wrote a message of 22 lines which said: Of course hopefully ssh is implemented in such a way that it makes sure the SSHFP RR has been validated by the resolver before using it; I haven't actually tried it, so I don't know. At least OpenSSH appears to not do that systematically, probably because there is no secure name resolution API, no standard way to check the AD bit from an application (and the app will still not know if the validating resolver was secure, or if it was using random trust anchors without checking). There is an option in OpenSSH to activate DNSSEC testing for SSHFP (see dns.c and openbsd-compat/getrrsetbyname.c) but it seems to depend on the local stub resolver support and therefore does not work for each system. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
On 27-Apr-2009, at 09:05, Edward Lewis wrote: Perhaps we should avoid the RFC 5513 HSM and just spell it out - a (cryptographic) hardware support module. Hardware Security Module is the more usual expanded form, I think? Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
At 9:16 -0400 4/27/09, Joe Abley wrote: Hardware Security Module is the more usual expanded form, I think? Wikipedia sides with you, Joe. Toh-may-to, Toh-ma-toh. ;) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStarYou can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] dns data exchanged between host and local dns-sever
Holger Zuleger (Holger.Zuleger) writes: Even BIND as a (local) forwarding name server is not able to use GSS-TSIG to protect the communication with the recursive name server. You can setup TSIG between recursive nameservers. Please correct me if I'm wrong. I'm looking for a TSIG aware stub-resolver for years. Well, Unbound does provide the necessary pieces to build one, but I've yet to see the OS stub resolver implement TSIG. Phil ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] WGLC: Requirements for Management of Name Servers for the DNS
On Sat, 21 Mar 2009 22:44:42 -0700, Doug Barton do...@dougbarton.us said: DB I've read the draft at the URL above and am generally supportive of DB its moving forward. Doug, Thanks for responding with a review about the Management Requirements document. I've applied all your very useful changes to the draft. I only had a question/comment about one of them: DB 3.1.1 Needed Control Operations DB The ability to do a reload on an individual zone should probably be DB mentioned here. That's probably a good point but I think it's worth checking to make sure anyone else reading this has a problem with this. Supporting partial reloads (be that split line along a zone data set or something more granular) is potentially more intensive than a complete reload. You're right the original text didn't really specify anything (though it implied a complete reload). How does this bullet replacement sound: OLD: Reloading zone data NEW: Reloading some or all of the zone data sets I'm not sure sets should be in there or not... I think it conveys the boundary line better though. -- In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find. -- Terry Pratchett ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] WGLC: Requirements for Management of Name Servers for the DNS
On Sun, 22 Mar 2009 13:42:39 -0700, SM s...@resistor.net said: s From the Abstract: ... Thanks for the comments on the draft; I've incorporated all of your changes. -- In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find. -- Terry Pratchett ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop