To:
Randy Bush <randy@psg.com>
Cc:
Edward Lewis <lewis@tislabs.com>, dnssec@cafax.se
From:
Dan Massey <masseyd@isi.edu>
Date:
Thu, 10 May 2001 17:29:31 -0400
Content-Disposition:
inline
Delivery-Date:
Fri May 11 07:38:36 2001
In-Reply-To:
<E14xw3q-0000Ru-00@roam.psg.com>; from randy@psg.com on Thu, May 10, 2001 at 03:25:18PM -0400
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
Re: Keys at apex problem - New PUBKEY RR?
On Thursday, May 10, 2001 at 03:25PM, Randy Bush wrote: | > I groc (see & understand) Randy's point. A centralized infrastructure | > element, such as DNS, should be as simple and lightweight as possible for | > two reasons. It should never breakdown. It should never be a performance | > bottleneck (with breaking down an extreme case of this). A long time ago I | > came to these conclusions when researching middleware (long time ago = | > pre-1035). These long-held opinions of mine would lead me to agree with | > Randy - and I've already said I don't. | > | > Why? There isn't an option to DNS at this point. I don't see place | > applications can easily rely on to get meta-data. I am aware of LDAP, but | > haven't been convinced that it's the way to go for pulling keys. | > | > More importantly, I agree with Jakob that the use of DNS to hold keys is | > not a significant change from DNS without this service. | | and this is why the problem has never been fixed. we keep adding more | rotten tomatoes to the overfilled can because there always seems to be room | for one more tomato, and there are no other containers as easily abused. | | hence no one ever makes more appropriate containers for vegetables (or | fruit, tomatoes are a fruit). if we stop this feeping creaturism, dns | cruftification will slow, and the protein abusers will be forced to actually | solve their problems, maybe even in a nice clean and well-understood manner. | | randy offlist comment... good luck with Ed on this one. I hope your discussion with goes better than mine did! We had a pointless discussion on a project mailing list. I've tried to convince Ed that there are two questions here. First there is the question of what keys belong in the DNS. It seems like ipsec, ssl, and email key types sort of slipped through last time. The app key debate ought to occur without getting tangled in the DNSSEC key issues. The second issue involves how to store app keys. My concern is that adding app keys to the DNS by subtyping the KEY record and then trying to patch the subtype problems with special labels like _ssh.hostname or _ipsec.hostname seems to just make a mess. I confused things by suggesting a new PUBKEY record. That was a mistake. I just want ANY solution that keeps the app keys away from DNSSEC keys. The don't play well together :) What do you think of my later proposal to push the key discussion out of the RFC 2535 revision? Dan