On Thu, Jul 02, 2015 at 05:13:01PM +0300, Yoav Nir wrote: > The IPsec entity will resolve this FQDN with DNSSEC, yielding both an IP > address and a DANE record. The DANE record can be used to identify the > certificate or raw public key used in IKE.
What prevents IP address hijacking (mallory.example publishes alice.example's IP address and now mallory's IPSEC keys are used to encrypt traffic to alice)? I thought that Paul Wouters is working on a more comprehensive specification, IIRC in an IPSEC working group where it can get better informed review. This is much more of an IPSEC design problem, than a DANE design problem. Once the IPSEC parts are in good shape, perhaps the document can be discussed here for any final DANE-specific issues (details of just the DANE RRset used for the document). -- Viktor. _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane