How is DNSSEC
Steven M. Bellovin
smb at cs.columbia.edu
Wed Mar 26 13:20:21 EDT 2008
On Fri, 21 Mar 2008 08:52:07 +1000
"James A. Donald" <jamesd at echeque.com> wrote:
> From time to time I hear that DNSSEC is working fine, and on
> examining the matter I find it is "working fine" except that ....
>
> Seems to me that if DNSSEC is actually working fine, I should be able
> to provide an authoritative public key for any domain name I control,
> and should be able to obtain such keys for other domain names, and
> use such keys for any purpose, not just those purposes envisaged in
> the DNSSEC specification. Can I? It is not apparent to me that I
> can.
>
You might want to look at RFC 3445 and draft-iab-dns-choices-05.txt.
As for DNSSEC keys -- DNSSEC is for securing the DNS. Once you've done
that, you can put other records in the DNS, but there are some subtle
points in DNS RR design that should be heeded.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list