DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Randy Bush <randy@psg.com>
Cc: Edward Lewis <lewis@tislabs.com>, dnssec@cafax.se
From: Dan Massey <masseyd@isi.edu>
Date: Thu, 10 May 2001 17:29:31 -0400
Content-Disposition: inline
Delivery-Date: Fri May 11 07:38:36 2001
In-Reply-To: <E14xw3q-0000Ru-00@roam.psg.com>; from randy@psg.com on Thu, May 10, 2001 at 03:25:18PM -0400
Sender: owner-dnssec@cafax.se
User-Agent: Mutt/1.2.5i
Subject: Re: Keys at apex problem - New PUBKEY RR?

On Thursday, May 10, 2001 at 03:25PM, Randy Bush wrote:
| > I groc (see & understand) Randy's point.  A centralized infrastructure
| > element, such as DNS, should be as simple and lightweight as possible for
| > two reasons.  It should never breakdown.  It should never be a performance
| > bottleneck (with breaking down an extreme case of this).  A long time ago I
| > came to these conclusions when researching middleware (long time ago =
| > pre-1035).  These long-held opinions of mine would lead me to agree with
| > Randy - and I've already said I don't.
| > 
| > Why?  There isn't an option to DNS at this point.  I don't see place
| > applications can easily rely on to get meta-data.  I am aware of LDAP, but
| > haven't been convinced that it's the way to go for pulling keys.
| > 
| > More importantly, I agree with Jakob that the use of DNS to hold keys is
| > not a significant change from DNS without this service.
| 
| and this is why the problem has never been fixed.  we keep adding more
| rotten tomatoes to the overfilled can because there always seems to be room
| for one more tomato, and there are no other containers as easily abused.
| 
| hence no one ever makes more appropriate containers for vegetables (or
| fruit, tomatoes are a fruit).  if we stop this feeping creaturism, dns
| cruftification will slow, and the protein abusers will be forced to actually
| solve their problems, maybe even in a nice clean and well-understood manner.
| 
| randy

offlist comment...  good luck with Ed on this one.  I hope your discussion
with goes better than mine did!  We had a pointless discussion on a
project mailing list.

I've tried to convince Ed that there are two questions here.  First there
is the question of what keys belong in the DNS.  It seems like ipsec, ssl, 
and email key types sort of slipped through last time.  The app key debate 
ought to occur without getting tangled in the DNSSEC key issues.

The second issue involves how to store app keys.  My concern is that  adding 
app keys to the DNS by subtyping the KEY record and then trying to patch the 
subtype problems with special labels like _ssh.hostname or _ipsec.hostname 
seems to just make a mess.  I confused things by suggesting a new PUBKEY 
record.  That was a mistake.  I just want ANY solution that keeps the app 
keys away from DNSSEC keys.   The don't play well together :)

What do you think of my later proposal to push the key discussion out
of the RFC 2535 revision?

Dan

Follow-Ups:
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Dan Massey <masseyd@isi.edu>

References:
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Jaap Akkerhuis <jaap@bartok.sidn.nl>
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Edward Lewis <lewis@tislabs.com>
- Re: Keys at apex problem - New PUBKEY RR?
  - From: Randy Bush <randy@psg.com>

Prev by Date: Re: Keys at apex problem - New PUBKEY RR?
Next by Date: Re: Keys at apex problem - New PUBKEY RR?
Prev by thread: Re: Keys at apex problem - New PUBKEY RR?
Next by thread: Re: Keys at apex problem - New PUBKEY RR?
Index(es):
- Date
- Thread

Home | Date list | Subject list