Opportunistic Encryption with DANE Semantics and IPsec: IPSECA
draft-osterweil-dane-ipsec-00

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Last updated 2014-08-17 (latest revision 2014-02-13)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-osterweil-dane-ipsec-00.txt

Abstract

The query/response transactions of the Domain Name System (DNS) can disclose valuable meta-data about the online activities of DNS' users. The DNS Security Extensions (DNSSEC) provide object-level security, but do not attempt to secure the DNS transaction itself. For example, DNSSEC does not protect against information leakage, and only protects DNS data until the last validating recursive resolver. Stub resolvers are vulnerable to adversaries in the network between themselves and their validating resolver ("the last mile"). This document details a new DANE-like DNS Resource Record (RR) type called IPSECA, and explains how to use it to bootstrap DNS transactions through informing entries in IPsec Security Policy Databases (SPDs) and to subsequently verifying Security Associations (SAs) for OE IPsec tunnels.

Authors

Eric Osterweil (eosterweil@verisign.com)
Glen Wiley (gwiley@verisign.com)
Dave Mitchell (dave@twitter.com)
Andrew Newton (andy@arin.net)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)