This is a discussion on Re: dns hop by hop transaction security for queries - DNS ; On Jul 20, 2008, at 10:15 AM, Paul Vixie wrote: > proposal: > > stubs, and caching forwarding servers, when acting as initiators, > should > use TKEY over TCP/53 to try to set up a shared secret with their ...
On Jul 20, 2008, at 10:15 AM, Paul Vixie wrote:
> stubs, and caching forwarding servers, when acting as initiators,
> use TKEY over TCP/53 to try to set up a shared secret with their
> responders. if successful, this secret should be used for UDP/53
> to that responder. if TKEY over TCP/53 is successful for some
> but not others, then the successful ones will be used exclusively.
> if at
> least one TSIG signed query transaction succeeds to a responder, and
> later transactions fail with TSIG errors (BADSIG) then TKEY over TCP/
> should be repeated. if no TSIG signed query ever succeeds, then
> after some
> small number of retries, the TKEY should be discarded and no longer
> in cases where there is TKEY over TCP/53 fails, or where a TKEY was
> acquired but then discarded, then TSIG must not be used on
> transactions to
> that responder.
Oh. I get it. You're trying to make deploying DNSSEC look easy in
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.