[Design] Re: lookup of self-TXT/KEY

-----BEGIN PGP SIGNED MESSAGE-----
| From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

| DHR, 1) do you require that you find both the TXT and the KEY record for
| a host-only OE, or will KEY suffice?

The intent is that Pluto will only initiate OE if it can see sufficient credentials in DNS for the other side to respond.

For an initiation on behalf of itself, a KEY is sufficient.

For an initiation on behalf of a client behind, TXT is required and, if the TXT does not contain the public key, a KEY is also required.

| 2) is there a way to override this?

Not currently.

| 3) Will it retry?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

No. This is part of a general (planned to be fixed) lack of retrying.

| The problem that I get is that the DNS query to lookup self may itself
| cause OE, and may fail, and if it does, then we won't do OE again.

Remember that there is a single thread of queries currently. So the initial queries will fail in a predictable order. Blast a hole to a nice DNS *first* (a lame workaround, not a solution).

The other side will probably have a go at OE if it is configured suitably. So all is not lost.

Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPmzxssFAuQPManGZAQFxTwQArOvNJPP3dJsHXwL+6m0qKb5NsJdLG+Re hY4hAFm18p7Y4z4fBvjeoH+zWzeJkK3VeyvYDFCokevNnHrz5vbSEL8XTZrO+IH+ g6m1tulvQJpPMIk9OhrjDqZhpnr+k4iuANoAreEre8nBMf+0dUruRnxPl4ItBBBT 1tnUD7O4K3Q=
=/3/e
-----END PGP SIGNATURE-----