On Jul 20, 2008, at 10:15 AM, Paul Vixie wrote:
> proposal:
>
> stubs, and caching forwarding servers, when acting as initiators,
> should
> use TKEY over TCP/53 to try to set up a shared secret with their
> responders. if successful, this secret should be used for UDP/53
> queries
> to that responder. if TKEY over TCP/53 is successful for some
> responders
> but not others, then the successful ones will be used exclusively.
> if at
> least one TSIG signed query transaction succeeds to a responder, and
> then
> later transactions fail with TSIG errors (BADSIG) then TKEY over TCP/
> 53
> should be repeated. if no TSIG signed query ever succeeds, then
> after some
> small number of retries, the TKEY should be discarded and no longer
> used.
> in cases where there is TKEY over TCP/53 fails, or where a TKEY was
> acquired but then discarded, then TSIG must not be used on
> transactions to
> that responder.


Oh. I get it. You're trying to make deploying DNSSEC look easy in
comparison.

:-)

Regards,
-drc



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: