To:
dnssec@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Mon, 23 Apr 2001 09:17:09 -0400
In-Reply-To:
<20010421014202U.he@runit.no>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
Why does it seem that all the interesting discussions happen when I'm
travelling?
Here are my $.02 (US):
1) There is nothing really broken with the current KEY RR holding
non-DNSSEC keys even at the apex. True, putting, e.g., IPSEC keys at the
apex and getting them signed by the parent is ill advised, but the protocol
will work for this.
2) There is an installed base of code that implements the current specs on
this - BIND 9! No, not many applications, but enough has been done to make
me shy away from advocating a redefinition of anything.
Recommendations:
Do not change the protocol specification of the KEY RR.
Do not make the handling of non-zone keys at the apex a special case.
Don't hijack the CERT record from its current role.
Do discourage non-zone keys in the apex KEY by offering an alternative. Of
the two alternatives, the PUBKEY and the application naming convention, one
should be eventually choosen - which one I cannot say now.
Do recommend against using the KEY at the apex to store non-DNSSEC keys,
but allow it. (It's acceptable to me for a registr* to charge for such
keys.)
My thoughts on the PUBKEY vs. naming convention:
PUBKEY can coincide with KEY, even use the same syntax. You could even
think of PUBKEY as simply a "cname" to KEY definition wise ;). This
doesn't end the subtyping issue however, although now I can put my
non-DNSSEC apex keys in PUBKEY and just send the KEY set to the parent.
(This approach would speed time to specification and implementation.) One
spec caveat here - recommend that only zone keys be in and be put in the
KEY, all others be in and be put in PUBKEY.
The naming convention keeps rising in conversations, but I've never seen it
succeed. (I've never seen it be an utter failure.) One question: should
the names be something like:
cnn.example. SOA
A
_ipsec KEY
_ssh KEY
www A
_ipsec.www KEY
or
cnn.example. SOA
A
www A
_ipsec.key KEY
_ssh.key KEY
_ipsec.www.key KEY
? (Should the keys be in one subdomain?)
The former (PUBKEY) is quicker to acheive but still has subtyping (which
complicates resolution). The latter increases names in a zone but removes
the subtyping issue.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis NAI Labs
Phone: +1 443-259-2352 Email: lewis@tislabs.com
You fly too often when ... the airport taxi is on speed-dial.
Opinions expressed are property of my evil twin, not my employer.