To:
Patrik Fältström <paf@cisco.com>
Cc:
Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Tue, 1 May 2001 11:24:02 +0200 (CEST)
Delivery-Date:
Wed May 2 08:47:37 2001
In-Reply-To:
<4103464.988714527@localhost>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
On Tue, 1 May 2001, Patrik Fältström wrote:
> But, I don't see any problem having more than one KEY with the same owner.
>
> What did I miss in this discussion?
- keys at apex
the parent needs to sign KEY(example.com.). if the child
has application keys at the apex these KEYs needs to be signed by the
parent. e.g. why should .com need to sign the SSH host key for the
host example.com. ? when any of that host's keys changes, we need
the parent to resign.
- large RR sets
if a host has multi application keys, a query for KEY(host) will
return a huge response (i.e. all KEYs). this could be a problem.
both these could be solved by storing the KEY for an application at
another location in the tree. this could also be solved by storing the key
outside the DNS, possibly by pointing out that location via DNS.
both methods has its pros and cons, and altough I don't believe in storing
this information outside DNS because I think that will be to complicated,
I do think we need to compare them, discuss them and perhaps even leave it
up to the application to decide which one to use.
/Jakob
--
Jakob Schlyter <jakob@crt.se> Network Analyst
Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology