To:
Ted.Lindgreen@tednet.nl
Cc:
Dan Massey <masseyd@isi.edu>, dnssec@cafax.se
From:
Simon Josefsson <simon@josefsson.org>
Date:
18 Apr 2001 18:47:28 +0200
Delivery-Date:
Thu Apr 19 20:30:50 2001
In-Reply-To:
<200104181420.QAA15334@omval.tednet.nl> (ted@tednet.nl's message of "Wed, 18 Apr 2001 16:20:44 +0200")
Sender:
owner-dnssec@cafax.se
User-Agent:
Gnus/5.090003 (Oort Gnus v0.03) Emacs/21.0.102
Subject:
Re: Keys at apex problem
ted@tednet.nl (Ted Lindgreen) writes: > > 3) The SSH keys shouldn't be present in the zone file. > > Replace SSH with IPSEC, SSL, etc, etc and you have the same problem. > > If the KEY record is only for zone keys, let's make the spec say that. > > This looks like a fundamental approach, but I'm not sure what changing > the definition of a KEY RR in such a way would mean for further delays > in implementing DNSSEC. One solution that wouldn't require changing specifications nor implementations, and would remove this problem, would be to mandate a practice (both in the SSH DNSSEC-patches as well as with the zone file administrators) to add ssh KEY RR's as "_ssh.host.example.org" or something similar. E.g. inventing a subdomain where you store the ssh key for a host. Of course, it is ugly but I don't see any immediate disadvantages and it does fix the problem we're discussing here.