In message <[email protected]>, Andrew Sullivan writes: > On Wed, Feb 26, 2014 at 07:41:00PM -0500, Paul Wouters wrote: > > seems to agree doing DNSSEC on the host itself (server or in-app) is > > still the preferred method. > > Is Micorosoft's method still to prefer the AD bit from the server, but > use IPSec between the clients and the servers? That would seem to be > similar to your concern.
Blindly trusting AD from anything other than 127.0.0.1 / ::1 is asking for trouble even if IPsec is being used. The problem is that you still need to trust the server and anything over the net should be untrusted by default. Adding a trusted key clause to resolv.conf would work e.g. trusted-key start-date end-date . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=" Better still would be a RFC 5011 replacement that published START and END dates along with a poll frequency for keys that should be used as trust anchors along with the key material. The START and END dates would be updated periodically. RFC 5011 is a grose hack. We can do significantly better. It the trusted-key clauses haven't been updated before the end date the validator ignores the trusted key if there are no trusted-key clauses clauses left you treat everything as insecure. > Best, > > A > > -- > Andrew Sullivan > [email protected] > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
