Re: Install DNS mappings based on TLS/IPsec?

[Joe Touch <touch@ISI.EDU>]

Iljitsch van Beijnum wrote:

> On 4-jul-04, at 10:43, Brian E Carpenter wrote:
>
> > Are you suggesting that the multi6 solution should have a strict
> > dependency on using TLS or IPSEC?
>
>
> Certainly not. I'm saying two things:
>
> - if the DNS doesn't work, discover information that would normally be 
> in the DNS through the TLS or IKE negotiation, and

Sorry for the late addition to the thread, but the use of the DNS for 
forward and reverse lookups is often to provide confirmation of identity.

To that end, DNSSEC is useful, by removing the assumption of trust with 
true trust. The presumption in either case is that if the DNS tree 
verifies fwd/rev, then things are reasonable.

IKE relies either on X.509 keys (a different hierarchy) or preshared 
secrets. At best, all this does is move the problem (DNSSEC certificate 
hierarchy -> X.509 certificate hierarchy); at worst, it exposes the 
endpoint to assuming identity when the pre-shared key could be open 
(compromised, or deliberate).

I.e., it would be necessary (IMO) to limit this to identities exchanged 
by IKE/TLS based on CAs, not based on preshared keys. That may not be 
feasible.

> - the DNS is often insecure, so let the TLS or IKE derived information 
> override it to increase security

The more independent trust mechanisms there are the less trust that 
results, IMO.

Joe

> But if TLS/IPsec aren't used, the information is taken from the DNS.

Attachment: signature.asc
Description: OpenPGP digital signature