To:
Jakob Schlyter <jakob@crt.se>
Cc:
<dnssec@cafax.se>
From:
Olafur Gudmundsson <ogud@ogud.com>
Date:
Fri, 27 Apr 2001 20:17:03 -0400
Delivery-Date:
Tue May 1 10:47:09 2001
In-Reply-To:
<Pine.BSO.4.31.0104262119130.3081-100000@fonbella.crt.se>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
At 15:47 26-04-2001, Jakob Schlyter wrote: >On Thu, 26 Apr 2001, Olafur Gudmundsson wrote: > > > If there is a redirection in what cases MUST the key be stored with > > the SRV record versus the target. > > Example: (ssh is not the best protocol for this example but will do). > > _ssh._tcp.example.com. SRV 0 0 22022 terminal.example.com. > > and later in the zone there is > > _ssh._tcp.HOST.example.com. SRV 0 0 22122 terminal.example.com > > > > In this case does terminal use one or two different host keys ? > > If the answer is one then the key should be stored with at > > _ssh._tcp.terminal.example.com. > > on the other hand if the keys are different then I can make an argument > > for storing the keys with the SRV record rather than have one large KEY > > set at terminal. > >do we have to (or rather should we) specify this or would this be up to >the application to decide? My vote would be for applications to decide but in the document that describes how to write a definition this would be an issue to be specified. >if the srv record redirects to several hosts, should all hosts be forced >to have the same host key? a better solution could be to first look up the >key at the srv record first (if used) and, if not found, fall back to the >keys at the host selected. I assume this is the operation you are proposing for SSH ? Olafur