On Wed, 17 Feb 2010, Phillip Hallam-Baker wrote: > One mechanism that was unfortunately pushed asside as a result of the > fixation on end to end DNSSEC would be to for the resolver to use > DNSSEC (and other methods) to authenticate the data it receives and to > use some modification of TSIG to authenticate the communication > between client and resolver. I don't think that has been pushed aside. There's not much interest in it at the moment because the focus is on authoritative-to-recursive DNSSEC. Maybe attention will turn to recursive-to-stub security once there is more assurance that the recursive server's answers are authentic. > It would not take a great deal of effort to graft a Kerberos like scheme > on to effect key exchange. Or use SIG(0). Tony. -- f.anthony.n.finch <dot@xxxxxxxx> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf