Status of opportunistic encryption
Anne & Lynn Wheeler
lynn at garlic.com
Fri Jun 2 21:16:05 EDT 2006
James A. Donald wrote:
> I was unaware of this. So I googled for DNSSEC. Reading
> the DNSSEC documents I found
> : : "In order to support the larger DNS message
> : : sizes that result from adding the DNSSEC RRs,
> : : DNSSEC also requires EDNS0 support ([RFC
> : : 671]). "
>
> and
>
> : : "its authentication keys can be authenticated
> : : by some trusted means out of band from the
> : : DNS protocol."
>
> This does not sound workable to me.
this could be analogous or the same as the trusted certification
authority authentication keys that are incorporated into browsers when
they are distributed (to the extent that distributed certification
authority authentication keys, that are authenticated out of band from
the standard PKI process, appear to work, it could be possible that
something similar might also work for DNS).
the specification of the root DNS servers could include specifying the
associated authentication keys ... in much the same way that the
distribution of the root CAs information include the distribution of the
associated CA authentication keys.
my rfc index
http://www.garlic.com/~lynn/rfcietff.htm
select "Term (term->RFC#)" under "RFCs listed by" ... and then select
"DNSSEC" in the acronym fastpath.
domain name system security (DNSSEC )
see also domain name system, domain name system extensions,
security
4509 4470 4431 4398 4322 4310 4035 4034 4033 3845 3833 3755
3658 3226 3225 3130 3110 3090 3008 3007 2931 2930 2845 2541
2540 2539 2538 2537 2536 2535 2137 2065
in frames mode, clicking on the RFC number brings up the RFC summary in
the lower frame. clicking on the ".txt=nnnn" field in the RFC summary
retrieves the actual RFC.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list