[Cryptography] Doing DNS properly Re: Apple's iCloud+ "VPN"
Donald Eastlake
d3e3e3 at gmail.com
Tue Jun 29 23:34:18 EDT 2021
Hi,
On Tue, Jun 29, 2021 at 12:50 AM Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> ........
>
> TSIG is fine but doesn't work as an authentication scheme because
> there is no key agreement mechanism. We could have easily done it right but ...
TSIG was initially standardized in RFC 2845 by Paul Vixie et al in May
2000. The need for a key agreement was obvious which is why I wrote
RFC 2930 "Secret Key Establishment for DNS (TKEY RR)" which was
published in September 2000. I'm not claiming RFC 2930 is wonderful
but for a 20+ year old effort, I don't think it is all that terrible.
If someone had come to me with ideas for improvements / extensions to
TSIG key agreement wanting to create an RFC 2930bis, I would have been
happy to do so as I would be if such a person came to me today.
Thanks,
Donald
===============================
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
2386 Panoramic Circle, Apopka, FL 32703 USA
d3e3e3 at gmail.com
More information about the cryptography
mailing list