[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IPSECKEY] the -01 draft
>>>>> "Jakob" == Jakob Schlyter <jakob@crt.se> writes:
Jakob> I think the resolution process should be stated.
Jakob> in draft-ietf-secsh-dns we wrote:
Jakob> "Clients that do not validate the DNSSEC signatures themselves
Jakob> MUST
Jakob> use a secure transport, e.g. TSIG [8], SIG(0) [9] or IPsec [7],
Jakob> between themselves and the entity performing the signature
Jakob> validation."
I'd rather write:
Clients that do not validate the DNSSEC signatures themselves
MUST communicate with a recursive resolver that does DNSSEC resolution
using either a secure channel: local to the host, or via a TSIG
or SIG(0) with another host.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.