DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: <Ted.Lindgreen@tednet.nl>, "Dan Massey" <masseyd@isi.edu>, "Jakob Schlyter" <jakob@crt.se>
Cc: "Miek Gieben" <miekg@nlnetlabs.nl>, <dnssec@cafax.se>
From: "Scott Rose" <scottr@antd.nist.gov>
Date: Fri, 20 Apr 2001 09:15:50 -0400
Sender: owner-dnssec@cafax.se
Subject: Re: Keys at apex problem - New PUBKEY RR?


----- Original Message -----
From: "Ted Lindgreen" <ted@tednet.nl>


> [Quoting Dan Massey, on Apr 19, 22:14, in "Re: Keys at apex pro ..."]
>
> > .....
>
> Your analysis looks spot on to me.
>
> > So I guess that is the very long way of saying I'm in favor of
> > separating DNS infrastructure keys from application keys. I think
> > either CERT only or CERT+PUBKEY would work, but I don't know which
> > of those two is better.
>
> Yes, I think you are right.
>
Looking at the CERT description (RDATA format), it has a very similar
structure to the KEY record.  The same fields needed by a PUBKEY record are
found in the CERT.  I do not know how widely deployed the CERT record is,
but most DNS implementations know how to handle it.  I do feel a bit uneasy
of "taking over" the CERT record to use with public keys (which are not
certificates in themselves, but with a SIG, maybe they are ;-)

So the arguement for CERT would be:
1.  Already defined - easy to create an SSH, IPSEC, whatever  type
2.  No need to define another RR type with similar properties as KEY and
CERT (the PUBKEY RR)

against:
1.  Already deployed for certificates, not just keys (violating the intended
use of the CERT RR).
2.  Have to modify existing DNS implementations and other apps that use KEY
queries.

> >From the three alternatives I see:
>
> 1. Live with non-zone-KEY RRs in the apex.
> 2. Separate KEY RR usage (KEY in apex is zoneKEY and zoneKEY only,
>    KEY RRs outside apex are for other usage), and try to enforce
>    this usage by SHOULD of MUST.
> 3. Limit the KEY RR usage to zoneKEY only and use some other RR
>    for anything else.
>
> number 3 certainly looks the cleanest.
>

Since Dan and I are just "editors" and cannot make any changes without
concensus, if the WG things option 3 is the way to go, I'm all for it.  One
thing that will be an issue is the sudden useless fields in the KEY RR if it
is to be made DNS protocol only.  The spec will seem odd having a field set
to a constant value of 3 (DNSSEC protocol value in KEY).  We should change
that if we are going to be serious about spliting KEY into a DNS KEY RR and
other protocol PUBKEY or CERT.

Scott


> Regards,
> -- Ted.

Follow-Ups:
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Simon Josefsson <simon+dnssec@josefsson.org>

References:
- Re: Keys at apex problem - New PUBKEY RR?
  - From: ted@tednet.nl (Ted Lindgreen)

Prev by Date: Re: Keys at apex problem - New PUBKEY RR?
Next by Date: Re: Keys at apex problem - New PUBKEY RR?
Prev by thread: Re: Keys at apex problem - New PUBKEY RR?
Next by thread: Re: Keys at apex problem - New PUBKEY RR?
Index(es):
- Date
- Thread

Home | Date list | Subject list