Re: IPSEC goes to RFC
Don Eastlake has actually done a draft RFC on using the DNS for key distribution. It may be found at ftp://ietf.cnri.reston.va.us/internet-drafts/draft-ietf-dnssec-secext-04.txt He briefed the W3C security working group about this recently, and a number of people raised objections, notably * database bloat * zone transfer bloat * increased hits on root servers due to a new class of inquiry. There was some discussion as to whether these were valid objections, and the people running prototype code said they had had no problems. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation trei@process.com
"Peter Trei" writes:
Don Eastlake has actually done a draft RFC on using the DNS for key distribution.
Its more than a draft -- at this point it is very clearly standards track. Note that the document in question only covers security for the DNS itself, but the side effect is that you've built all the mechanisms you need for general key distribution. Don is now working on the certificate formats.
It may be found at
ftp://ietf.cnri.reston.va.us/internet-drafts/draft-ietf-dnssec-secext-04.txt
He briefed the W3C security working group about this recently, and a number of people raised objections, notably
* database bloat * zone transfer bloat * increased hits on root servers due to a new class of inquiry.
As I've noted, given the actual in-field experience of Hesiod, I'm not in the least worried. .pm
participants (2)
-
Perry E. Metzger -
Peter Trei