linux-ipsec: Re: your mail

On Tue, 1 Dec 1998, Bjoern Steinemann wrote:
> will do my "Studienarbeit" (some kind of thesis with both academical and
> practical aspects) in the fields of cryptography/network security with
> IPsec and would like to contribute something to this project.
> What parts of IPsec must be implemented in the near future?

Much of what needs doing in the near future, unfortunately, is boring details of code cleanup, documentation, porting, etc...

Hmm. One area that we will want to start work on before too very long is authenticating IKE daemons to each other using Secure DNS (see RFC 2065). Some work has been done on implementations of Secure DNS -- there's a copy in our FTP area on xs4all.nl -- but my recollection (it's been a while since I looked at it) is that it hasn't gone as far as we'd like. Efforts there could be helpful.

For example, what we really want in the daemon is a C function which we can call to get *trusted* DNS data for a name -- that is, a signatureverifying  DNS resolver. That function has to work its way down from the DNS root servers (whose public key can be assumed to be known, obtained by other means), checking signatures as it goes, until it reaches the name in question. It should return failure if a signature check fails, or it is unable to find the necessary information for a signature check, anywhere in this process.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)