[Design] Proposed output of mailkey

-----BEGIN PGP SIGNED MESSAGE----- I'm drafting up a little script that will help automate the process of sending OE DNS records to your ISP.

It has different output, depending on whether or not you're attempting to get them to change records for initiator-only OE - a KEY record in a forward domain - or full OE - a KEY and TXT in the reverse.

• - The script may ulitmately get called in different ways, or even automatically as a new key is generated.
• - If no arguments are passed, perhaps we can guess that a machine's hostname is relevant. If FS is running, we could use the IPs bound by ipsecN devices for valid reverse IPs, or use the output of "showdefaults". I'm not certain how presumptive we should be.
• - I intend to use "host -C" to aid users in knowing who to send this mail to. This can be overridden.
• - If possible, I wish to use a similar method to "send-pr" - to give users a chance to edit the mail, including its destination and "From:" addresses, and ultimately to send it through sendmail. As well, I could provide a user frobbable setting to save this output in a file of their choosing insted of sending it.

Flames and grammatical corrections welcome.

Here is the output for forward only hosts:

[root@heron scripts]# ./mailkey --forward heron.crowgirl.com

I would like to secure my communications using initiator-only Opportunistic Encryption.

Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN project (www.freeswan.org). It allows for the creation of dynamic IPSec connections between hosts without pre-arrangement, authenticated via RSA keys stored in DNS records.

Technical information on OE can be found in this RFC draft:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt

To this end, I need to publish the following KEY record for the hostname heron.crowgirl.com:

heron.crowgirl.com. IN KEY 0x4200 4 1 AQOhQgbi8W9ttasSaGe7Ue3AQWJ458L+IBEtJWR3iYXfq254lUTyuNfoyOzu+kmYTauDY6UbInNASebV8trK+CblwhKt5yXIKABKCya1GACcxM5T+WsxxT9LybDapu1pezkWWtXhXVgNiccex1LVw1tZUzGSETtH5HQP2Y/WcUAwOfb+auY/f9MMy1pyfWIA8hd18O/rhpVebqzztaOQaEuXwPDf78rGVZf1/pNS4EAE71kKaTyw6OMV7++yMXCNVUloh7nDRgmCYAqoNq17obUPd6u/5A3/IemTsgvbC8liKjn/Qy9pjYJWvBZIgRRvSaWmRayQjMQ7qaznqIxZsBWCar8mIeNMtbes83STWImu+z6P

Please be careful to preserve the spaces and/or quotation marks as written. These are important for the RSA key to survive processing.

If you have any questions about these records, or about DNS in general, please direct them to the FreeS/WAN support lists:

users@lists.freeswan.org

Thanks for your help in securing the 'net!

... and for Full OE, it's much the same:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

[root@heron scripts]# ./mailkey --reverse 66.199.183.29

I would like to secure communications for my static IP 66.199.183.29 using Opportunistic Encryption.

Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN project (www.freeswan.org). It allows for the creation of dynamic IPSec connections between hosts without pre-arrangement, authenticated via RSA keys stored in DNS records.

Technical information on OE can be found in this RFC draft:

http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt

To this end, I need you to publish the following DNS records in 66.199.183.29's reverse map.

This KEY record:

29.183.199.66.in-addr.arpa. IN KEY 0x4200 4 1 AQOhQgbi8W9ttasSaGe7Ue3AQWJ458L+IBEtJWR3iYXfq254lUTyuNfoyOzu+kmYTauDY6UbInNASebV8trK+CblwhKt5yXIKABKCya1GACcxM5T+WsxxT9LybDapu1pezkWWtXhXVgNiccex1LVw1tZUzGSETtH5HQP2Y/WcUAwOfb+auY/f9MMy1pyfWIA8hd18O/rhpVebqzztaOQaEuXwPDf78rGVZf1/pNS4EAE71kKaTyw6OMV7++yMXCNVUloh7nDRgmCYAqoNq17obUPd6u/5A3/IemTsgvbC8liKjn/Qy9pjYJWvBZIgRRvSaWmRayQjMQ7qaznqIxZsBWCar8mIeNMtbes83STWImu+z6P

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

and the following TXT record:

29.183.199.66.in-addr.arpa. IN TXT "X-IPsec-Server(10)=66.199.183.29" " AQOhQgbi8W9ttasSaGe7Ue3AQWJ458L+IBEtJWR3iYXfq254lUTyuNfoyOzu+kmYTauDY6UbInNASebV8trK+CblwhKt5yXIKABKCya1GACcxM5T+WsxxT9LybDapu1pezkWWtXhXVgNiccex1LVw1tZUzGSETtH5HQP2Y/WcUAwOfb+auY/f9MMy1pyfWIA8hd18O/rhpVebqzztaOQaEuXwPDf78rGVZf1/pNS4EAE71kKaTyw6OMV7++yMX" "CNVUloh7nDRgmCYAqoNq17obUPd6u/5A3/IemTsgvbC8liKjn/Qy9pjYJWvBZIgRRvSaWmRayQjMQ7qaznqIxZsBWCar8mIeNMtbes83STWImu+z6P"

Please be careful to preserve the spaces and/or quotation marks as written. These are important for the RSA key to survive processing.

If you have any questions about these records, or about DNS in general, please direct them to the FreeS/WAN support lists:

users@lists.freeswan.org

Thanks for your help in securing the 'net!

• -- Sam Sgro sam@freeswan.org

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPlNAdkOSC4btEQUtAQGq+QP/Y07DlkUH95YDrHnE2DZN+IgnT7Ux8w0J yZIk5Wslyvg7eaK7pBBWWBuo9v9ow0IgMBb8qu6IpVly1J9BAH9zO7ZRiSfOGj11 tFAd3p8kSPXhC7fhi7hH+yTew/jQOvK9gVr2pztk1oJSRyQHZFr9J8R5EmnvGwUw hJ3H97LlkHg=
=RLOR
-----END PGP SIGNATURE-----

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek