To:
Patrik Fältström <paf@cisco.com>
Cc:
Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Tue, 1 May 2001 11:24:02 +0200 (CEST)
Delivery-Date:
Wed May 2 08:47:37 2001
In-Reply-To:
<4103464.988714527@localhost>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
On Tue, 1 May 2001, Patrik Fältström wrote: > But, I don't see any problem having more than one KEY with the same owner. > > What did I miss in this discussion? - keys at apex the parent needs to sign KEY(example.com.). if the child has application keys at the apex these KEYs needs to be signed by the parent. e.g. why should .com need to sign the SSH host key for the host example.com. ? when any of that host's keys changes, we need the parent to resign. - large RR sets if a host has multi application keys, a query for KEY(host) will return a huge response (i.e. all KEYs). this could be a problem. both these could be solved by storing the KEY for an application at another location in the tree. this could also be solved by storing the key outside the DNS, possibly by pointing out that location via DNS. both methods has its pros and cons, and altough I don't believe in storing this information outside DNS because I think that will be to complicated, I do think we need to compare them, discuss them and perhaps even leave it up to the application to decide which one to use. /Jakob -- Jakob Schlyter <jakob@crt.se> Network Analyst Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology