To:
Simon Josefsson <simon@josefsson.org>
Cc:
<Ted.Lindgreen@tednet.nl>, Dan Massey <masseyd@isi.edu>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Thu, 19 Apr 2001 12:16:28 +0200 (CEST)
Delivery-Date:
Thu Apr 19 20:30:52 2001
In-Reply-To:
<ilu7l0if93z.fsf@barbar.josefsson.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem
On 18 Apr 2001, Simon Josefsson wrote: > One solution that wouldn't require changing specifications nor > implementations, and would remove this problem, would be to mandate a > practice (both in the SSH DNSSEC-patches as well as with the zone file > administrators) to add ssh KEY RR's as "_ssh.host.example.org" or > something similar. is there a problem changing the specs when there are no widely deployed implementations? the only applications I know of that are using KEY is isakmpd and fmeshd's ssh. if we like to add a PUBKEY RR, we should do it now. it may be to late, but as soon as people starts using it, we're into more problems. or we should make a workaround for the apex problem, either by relocating the application keys (like _ssh.host.example.org) or by ignoring the problem (and therefore prohibiting application keys at the apex). relocation is always an option and how it is done could be specified in a rfc on how to lookup keys for a specific application. /Jakob -- Jakob Schlyter <jakob@crt.se> Network Analyst Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology