[Standards] dnssec

[Bruce Campbell]

On Wed, 28 Mar 2007, Matthias Wimmer wrote:

> Ralph Meijer schrieb:
>> Actually I think that using DNS-SEC as a source for authentication would
>> be in combination with SASL EXTERNAL, just like how we now use TLS
>> certs. I'm not sure if you need to explicitly mention alternates.
>
> Could somebody please give me a clue how DNSsec would be used for
> authentication? Due to my knowledge DNSsec can only be used to make
> sure, that DNS responses are not spoofed. So you get a trustable IP
> address from your DNS resolver. But this leaves the door open for any
> attack, that does not require spoofing the IP address.

The thing about DNSSEC is that it secures the information that you obtain 
via the DNS protocol.  However, you can store things other than the IP 
address of a remote host in the DNS; you could also store the verification 
for the host's connection certificate in the DNS, thus easing the pain of 
distributing certs for DNSSEC-aware clients.  ( I'm glossing over a lot of 
details here ).

However, this usage only assists in the authentication of a server to a 
client or another server.  It does not assist in the authentication of a 
client to a server.  Without the client or server having a closer 
connection to DNS records (and thus yet another dependency), using DNSSEC 
to authenticate a client to a server is not usable by the common client.

You could have the client and/or server run their own DNSSEC server on a 
negotiated port... but thats getting excessive.

-- 
   Bruce Campbell.