On 4/16/2010 4:03 PM, Roy Badami wrote: >> DNSSEC and ISAKMP are not related. > > Well, that's no longer entirely true... AIUI Microsoft seem to have > decided that in their DNSSEC implementation they will use IPsec (and > hence IKE with GSS-API) to secure communications from the client to > the validating resolver (rather than using GSS-TSIG, which is how they > secure dynamic updates). So in the MS world, DNSSEC and ISAKMP *are* > at least indirectly related. > > I have no idea whether this is likely to result in port 500 traffic to > random non-participating nameservers, though - I would assume not but > am prepared to be proved wrong.
Wow... Good catch! I've read the Microsoft documentation on 'last mile' DNSSEC goodness and yes, they do rely on IPSec to secure that portion of the DNS transaction. Thanks for pointing that out. It will definitely be interesting to see if this increase in ISAKMP traffic is a side effect of DNSSEC deployment. AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
