On Wed, 3 Jun 2009, Christian Huitema wrote:
Also, it is actually possible to improve on DNSSEC by introducing additional knowledge. If two domains have an establish relation, their servers can memorize the relevant public keys. If a host has a relation with a domain, it can memorize that domain's public key. This kind of "peer-to-peer" improvement makes the domain-to-domain or host-to-domain DNSSEC service immune to attacks by nodes higher in the hierarchy.
How do you handle key changes? How do you determine if the key change is performed by the domain holder or an attacker? There is no reason for such a "leap of faith" caching. In fact, with SSHFP records, we can also nail down that leap of faith for ssh finally :) Paul _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf