DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Jakob Schlyter <jakob@crt.se>, Olafur Gudmundsson <ogud@ogud.com>
Cc: <dnssec@cafax.se>, <sra@hactrn.net>
From: Olafur Gudmundsson <ogud@ogud.com>
Date: Wed, 25 Apr 2001 10:37:12 -0400
Delivery-Date: Thu Apr 26 08:16:19 2001
In-Reply-To: <Pine.BSO.4.33.0104202353040.24513-100000@fonbella.crt.se>
Sender: owner-dnssec@cafax.se
Subject: Re: Keys at apex problem - New PUBKEY RR?

At 18:14 20-04-2001, Jakob Schlyter wrote:
>On Fri, 20 Apr 2001, Olafur Gudmundsson wrote:
>
> > I think we should pick one of 1, 2 or 3 and suggest that in an ID as 
> soon as
> > possible.
>
>I would be interested in working on a ID describing this, but I need
>assistance. Dan?


Good,



> > Solution 1 (KEY + APPKEY) has the lowest cost,
> > cost:   same number of names
> >          one more type regardless of number of application keys
> >          one more signature
> > drawbacks:  many security aware applications will cause large key sets.
> >          if applications want to define use of flags we may run out of 
> flags
> >          or overload flags between applications.
> > advantages: simple to deploy one time cost.
>
>should we consider the risk of large key sets a big problem?

anything that potentially overflows a packet size is a problem,
depending on how many keys you need to overflow dictates if the problem is
small or big :-.


> > Solution 2 KEY + <app>key type
> > cost:   same number of names
> >          one type for each application supported by name
> >          more types to sign
> > drawbacks: DNS servers and resolver must support unknown types for rapid
> >          deployment of new application key types.
> > advantages: small key sets that are easy to find no searching in key list
> >          Each type has clean slate on use of flags and does not affect any
> >          other applications.
>
>are the drawbacks perhaps so large that people will not use this for
>applications?

possible but this is the cleanest solution it is up to the working group
to decide if this is the right way to go forward.



> > Solution 3: KEY and _<app>.name KEY
> > cost:   extra name for every application
> >          extra NXT/NO set
> >          2 more signatures per key set.
> > drawbacks: same as 1. + the extra set
> > advantages: small keys sets (just like 2).
>
>I like this more and more. perhaps more realistic that 1. _app should be
>defined in a document per application, but that is needed anyway to
>describe the RDATA format

in this case the regular KEY record is used.
The open question is who gets to pick the name, working groups or IANA?

         Olafur

Follow-Ups:
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Jakob Schlyter <jakob@crt.se>

References:
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Olafur Gudmundsson <ogud@ogud.com>
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Jakob Schlyter <jakob@crt.se>

Prev by Date: Re: Keys at apex problem - New PUBKEY RR?
Next by Date: Re: Keys at apex problem - New PUBKEY RR?
Prev by thread: Re: Keys at apex problem - New PUBKEY RR?
Next by thread: Re: Keys at apex problem - New PUBKEY RR?
Index(es):
- Date
- Thread

Home | Date list | Subject list