Hi, I am interested in using a variant of DANE to bootstrap my IPSec IKE root certificate trust. Is anyone aware of any work been done in this area?
>From my understanding, it looks as though the is no technical issue with using >reverse DNS lookup for the IPSec target machine with DNSSec (although this may >be a little unreliable on the "real-world" internet), so returning standard >DANE entries for the IPSec certificate. Then I would simply use these as part >of the standard IPSec certificate validation algorithm. Looking at similar proposed applications of DANE, such as the draft-ietf-dane-srv, mostly this involves defining an appropriate protocol query name (for example _ipsec.123.123.123.123.in-addr.arpa). Is this something that would fit into an existing document either from the IKE side or the DANE side? Or would it be worth me creating an more extensive proposal? Regards, David L P.S. Sorry for cross-signing two lists! _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec