Re: Keys at apex problem - New PUBKEY RR?

[Patrik Fältström <paf@cisco.com>]

--On 01-04-23 09.17 -0400 Edward Lewis <lewis@tislabs.com> wrote:

> 1) There is nothing really broken with the current KEY RR holding
> non-DNSSEC keys even at the apex.  True, putting, e.g., IPSEC keys at the
> apex and getting them signed by the parent is ill advised, but the
> protocol will work for this.

(ok, I created a filter in my new email client for this mailing list, but
forgot the mail for some weeks...sorry...)

My take when reading the spec for the KEY and SIG RR's is that the spec
already take into account that you might want to have more than one KEY RR
for the same owner. The Key ID is what is to differ between the keys, and
that's why the SIG have the Key ID as separate information so you don't
have to calculate the SIG and verify it for every key with the same owner.
You can first pick the one which you want to use, and then verify the SIG.

I.e. I might be completely confused, but what is the problem?

I see _one_ question being whether "it is good or not" to "inherit"
security from a DNSSEC PKI into hostkeys for SSH, SSL etc.

I see _another_ question being whether the KEY you should use for SSL
connections should not be a KEY for the SRV RR instead of the generic
hostname (which might be the same as the zone apex).

But, I don't see any problem having more than one KEY with the same owner.

What did I miss in this discussion?

  paf