To:
Jakob Schlyter <jakob@crt.se>
Cc:
Simon Josefsson <simon@josefsson.org>, Ted.Lindgreen@tednet.nl, Dan Massey <masseyd@isi.edu>, dnssec@cafax.se
From:
Miek Gieben <miekg@nlnetlabs.nl>
Date:
Thu, 19 Apr 2001 13:25:13 +0200
Delivery-Date:
Thu Apr 19 20:30:54 2001
In-Reply-To:
<Pine.BSO.4.33.0104191209220.6456-100000@fonbella.crt.se>; from jakob@crt.se on Thu, Apr 19, 2001 at 12:16:28PM +0200
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem
On Thu, Apr 19, 2001 at 12:16:28PM +0200, Jakob Schlyter wrote: > On 18 Apr 2001, Simon Josefsson wrote: > is there a problem changing the specs when there are no widely deployed > implementations? the only applications I know of that are using KEY is > isakmpd and fmeshd's ssh. > > if we like to add a PUBKEY RR, we should do it now. it may be to late, but > as soon as people starts using it, we're into more problems. or we should > make a workaround for the apex problem, either by relocating the > application keys (like _ssh.host.example.org) or by ignoring the problem > (and therefore prohibiting application keys at the apex). relocation is > always an option and how it is done could be specified in a rfc on how to > lookup keys for a specific application. I like the idea of adding a new RR more than using subzones for storing public keys. As we are about to remove the NULL key, why not add such a new RR? grtz Miek