[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSKEY flags field

To: namedroppers@ops.ietf.org
Subject: Re: DNSKEY flags field
From: Rob Austein <sra@isc.org>
Date: Mon, 14 Jun 2004 16:03:21 -0400
In-reply-to: <a06020415bcf3b0e16c2b@[192.136.136.83]>
References: <ilufz9332at.fsf@latte.josefsson.org> <200406141354.29107.davidb@verisignlabs.com> <ilu7jua3sb0.fsf@latte.josefsson.org> <200406141512.35693.davidb@verisignlabs.com> <a06020415bcf3b0e16c2b@192.136.136.83>
User-agent: Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0 (SAKAKI)

At Mon, 14 Jun 2004 15:49:52 -0400, Ed Lewis wrote:
> 
> Tossing out this - how safe is it to assume that if the hash in a DS 
> RR matches the DNSKEY RR with proto=4, that the DNSKEY RR is genuine? 
> Even if the RRSIG over the DNSKEY set indicates keys that are all 
> proto=4?

Define "genuine".  Seriously.

Properly signed DS is an attestation by the parent that it believes
that the child has asked to have this signed key hash listed and that
listing this signed key hash doesn't violate the parent's (unknown,
not part of protocol) policies.  Further deponant sayeth not.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: DNSKEY flags field
  - From: Edward Lewis <edlewis@arin.net>

References:
- DNSKEY flags field
  - From: Simon Josefsson <jas@extundo.com>
- Re: DNSKEY flags field
  - From: David Blacka <davidb@verisignlabs.com>
- Re: DNSKEY flags field
  - From: Simon Josefsson <jas@extundo.com>
- Re: DNSKEY flags field
  - From: David Blacka <davidb@verisignlabs.com>
- Re: DNSKEY flags field
  - From: Edward Lewis <edlewis@arin.net>

Prev by Date: Re: DNSKEY flags field
Next by Date: RE: protocol-06 section 4.5 - breaking the problem into chunks
Previous by thread: Re: DNSKEY flags field
Next by thread: Re: DNSKEY flags field
Index(es):
- Date
- Thread