CGA-TSIG is a possible solution to the secure-provisioning problem. The IPv6
CGA address contains a hash of a public key used to secure the service. If the
address is provisioned in a secure manner, then the client can authenticate the
resolver, by verifying that the resolver's certificate
Hi Christian,
Thanks for sharing your opinion about current approaches and also CGA-TSIG.
If we do change the client and resolver, a number of alternatives can
be used, such as:
* Use the same trick as CGA but encode the hash of the certificate as a
name part, e.g.
https://datatracker.ietf.org/ipr/2469/
signature.asc
Description: OpenPGP digital signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
