Kevin Oberman wrote: >> Date: Mon, 08 Mar 2010 10:03:26 -0800 >> From: Michael Sinatra <mich...@rancid.berkeley.edu> >> Sender: bind-users-bounces+oberman=es....@lists.isc.org >> >> On 3/7/10 10:46 AM, Danny Mayer wrote: >> >>> Autokey is not a cryptographic signature protocol. It *is* a >>> authentication protocol for the server only and there are a number of >>> exchanges that need to be done to complete the authentication of the >>> server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. >> Correct, the comparison was only to point out that Autokey, like DNSSEC, >> doesn't encrypt payload because it doesn't need to. > > More specifically, I don't WANT to encrypt the data for either DNS or > NTP. In both cases I want the data to always be signed clear-text and > that is what DNSSEC does.
I'll put it stronger than that. DNSSEC authenticates the server's *response* and does it in one packet while autokey authenticates the *server* itself and it takes a number of exchanges of packets before the client will consider the server as authenticated and it can rely on the authenticated packets after that. Danny -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users