To:
Jakob Schlyter <jakob@crt.se>
Cc:
<dnssec@cafax.se>
From:
Olafur Gudmundsson <ogud@ogud.com>
Date:
Fri, 27 Apr 2001 20:17:03 -0400
Delivery-Date:
Tue May 1 10:47:09 2001
In-Reply-To:
<Pine.BSO.4.31.0104262119130.3081-100000@fonbella.crt.se>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
At 15:47 26-04-2001, Jakob Schlyter wrote:
>On Thu, 26 Apr 2001, Olafur Gudmundsson wrote:
>
> > If there is a redirection in what cases MUST the key be stored with
> > the SRV record versus the target.
> > Example: (ssh is not the best protocol for this example but will do).
> > _ssh._tcp.example.com. SRV 0 0 22022 terminal.example.com.
> > and later in the zone there is
> > _ssh._tcp.HOST.example.com. SRV 0 0 22122 terminal.example.com
> >
> > In this case does terminal use one or two different host keys ?
> > If the answer is one then the key should be stored with at
> > _ssh._tcp.terminal.example.com.
> > on the other hand if the keys are different then I can make an argument
> > for storing the keys with the SRV record rather than have one large KEY
> > set at terminal.
>
>do we have to (or rather should we) specify this or would this be up to
>the application to decide?
My vote would be for applications to decide but in the document
that describes how to write a definition this would be an issue to be
specified.
>if the srv record redirects to several hosts, should all hosts be forced
>to have the same host key? a better solution could be to first look up the
>key at the srv record first (if used) and, if not found, fall back to the
>keys at the host selected.
I assume this is the operation you are proposing for SSH ?
Olafur