Status of opportunistic encryption

Anne & Lynn Wheeler lynn at garlic.com
Fri Jun 2 21:16:05 EDT 2006


James A. Donald wrote:
> I was unaware of this.  So I googled for DNSSEC. Reading
> the DNSSEC documents I found
> : :    "In order to support the larger DNS message
> : :    sizes that result from adding the DNSSEC RRs,
> : :    DNSSEC also requires EDNS0 support ([RFC
> : :    671]). "
> 
> and
> 
> : :    "its authentication keys can be authenticated
> : :    by some trusted means out of band from the
> : :    DNS protocol."
> 
> This does not sound workable to me.

this could be analogous or the same as the trusted certification 
authority authentication keys that are incorporated into browsers when 
they are distributed (to the extent that distributed certification 
authority authentication keys, that are authenticated out of band from 
the standard PKI process, appear to work, it could be possible that 
something similar might also work for DNS).

the specification of the root DNS servers could include specifying the 
associated authentication keys ... in much the same way that the 
distribution of the root CAs information include the distribution of the 
associated CA authentication keys.

my rfc index
http://www.garlic.com/~lynn/rfcietff.htm

select "Term (term->RFC#)" under "RFCs listed by" ... and then select 
"DNSSEC" in the acronym fastpath.


domain name system security  (DNSSEC )
     see also domain name system, domain name system extensions,
     security
  4509 4470 4431 4398 4322 4310 4035 4034 4033 3845 3833 3755
  3658 3226 3225 3130 3110 3090 3008 3007 2931 2930 2845 2541
  2540 2539 2538 2537 2536 2535 2137 2065

in frames mode, clicking on the RFC number brings up the RFC summary in 
the lower frame. clicking on the ".txt=nnnn" field in the RFC summary 
retrieves the actual RFC.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list