[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Agenda item: draft-ietf-dnsext-ad-is-secure
This is a returning (from more than a year ago) item for the agenda.
Version 06 should take care of the discusses (including Scott's).
Can the discussants (Randy and Allison) please check?
I wouldn't mind if this could be approved next week, but it is
my fault that it has taken so long so I can live with folks raising
additional issues.
There is a suggested set of rfc-editor nots below to help clarify things.
(Suggested by Roy Arends, Steve Bellovin, and Rob Austein.)
Erik
---
Before the last paragraph in section 4 add this paragraph:
In the latter two cases, the end consumer must also trust the
path to the trusted resolvers.
Add this paragraph to the end of section 2.2:
Note that having the AD bit clear on an authoritative answer is
normal and expected behavior.
The draft also has an odd "MUST" in section 2.2.1:
Organisations that require that all DNS responses contain
cryptographically verified data MUST separate the functions of
authoritative and recursive servers, as authoritative servers are not
required to validate local secure data.
This introduces a new concept "local secure data", w/o defining it.
Replace that paragraph with:
Organisations which require that all DNS responses contain
cryptographically verified data will need to separate the
authoritative name server and signature verification functions, since
name servers are not required to validate signatures of data for which
they are authoritative.
---