[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Scott Rose <scottr@barnacle.antd.nist.gov>
Cc: <dnssec@cafax.se>
From: Jakob Schlyter <jakob@crt.se>
Date: Mon, 23 Apr 2001 17:02:02 +0200 (CEST)
Delivery-Date: Tue Apr 24 08:04:50 2001
In-Reply-To: <01042310354500.00903@barnacle.antd.nist.gov>
Sender: owner-dnssec@cafax.se
Subject: Re: Keys at apex problem - New PUBKEY RR?

On Mon, 23 Apr 2001, Scott Rose wrote:

> I think the name vs. new type leads us to this choice:
>
> _<app>.name  KEY    or        name  APPKEY
>
> having a separate type and a naming convention for apps wouldn't be
> that much different than the first option

 another advantage of using _<app>.name and is zone splitting. i.e. keys
can be put in a separate zone so you can delegate the data for some
application to a separate set of servers.

slightly off-topic I'd like to mention that we've been discussing
something like this for naming the keys of CERT user (and other) keys. if
we use user@foo.bar -> CERT(user._pgp.foo.bar) we get benefits like:

 - less risk of name collision between users and hosts (until hosts get
   PGP keys that is)

 - the option to move the many and big CERT records for users out of the
   way from the "normal" zone.

 - the possibility of interfacing to alternates backends in the
   nameservers.


/Jakob

--
Jakob Schlyter <jakob@crt.se>                Network Analyst
Phone:  +46 31 701 42 13, +46 70 595 07 94   Carlstedt Research & Technology


Home | Date list | Subject list