[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Using DNS to securely publish SSH key fingerprints to Proposed Standard
On Mon, 12 May 2003, Simon Josefsson wrote:
> Was it considered to allow for other security mechanisms to authenticate
> the SSHFP data, besides DNSSEC?
yes, but that does not scale.
> Some scenarios that are precluded by the current text:
>
> * TSIG/IPSEC-protected query to authoritative server with SSHFP.
>
> * TSIG/IPSEC-protected query to trusted server with SSHFP. (The
> server may have received the data using a secure channel from the
> authoritative server.)
just because the server is authoritative does not mean the data can be
trusted. the entity signing the zonefile is what should be trusted, not
the box serving it.
> * Using data from zone files received securely out of band. (E.g.,
> via SSH, or by mail protected by CMS or OpenPGP, from the
> authoritative domain.)
what you are describing here is not DNS, it is some other mechanism using
DNS zone files as transport format.
jakob