-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Paul,
So this is another solution, which I want out there in the solution
space because it is stateless. And there are many things to consider ...
Sending the qname as the zone name in plaintext is not a good idea.
For hop-by-hop encryption there
Hello,
(a reaction on second paragraph of 4. Authenticated Operation, only)
That paragraph states that the ENCRYPT RR can be signed by DNSSEC.
However, I don't think is possible !
A signature is the hash of DNS-data-sent, encrypted with the private key.
But in this case : private key of who ?
!!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Marc,
In the draft it says to store the ENCRYPT RR in this case at
ns.example.com. It would then be signed with the ZSK DNSKEY for
example.com, with normal DNSSEC chain of trust.
But again, the authenticated operation is not the main aim of this
I think the draft is very unclear on this (DNSSEC) point -
at least I don't find this statement about the ENCRYPT RR being signed by
with the private key of example.com.
Anyway : a RRSIG RR holds the name of the domain that signed in clear text.
Kind regards,
Marc
On Fri, Nov 29, 2013 at 10:40
And there is also public key rolling issue in this scheme just as the zone KSK
rolling in DNSSEC. More consideration is needed to handle this issue since the
private key of a DNS domain may be leaked.
Guangqing Deng
CNNIC
From: Marc Lampo
Date: 2013-11-29 18:53
To: W.C.A. Wijngaards
CC: dn
