To:
Randy Bush <randy@psg.com>
Cc:
<dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Sat, 12 May 2001 09:24:29 +0200 (MEST)
Delivery-Date:
Sun May 13 09:06:40 2001
In-Reply-To:
<E14y9dr-0000dg-00@roam.psg.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
On Fri, 11 May 2001, Randy Bush wrote:
> > I would say dns is very good at storing data that looks like, or could be
> > made to look like, a domain name.
>
> this logic leads to using it to replace the phone book.
if we're using it for lookup names and numbers, not searching for them,
why not? this is currently only definied for looking up E.164 numbers, but
other stuff could work as well. like,
jakob.crt.se. IN NAPTR 0 1 "u" "sip+X2U" "!^.*$!sip:jakob@schlyter.pp.se!"
IN NAPTR 0 2 "u" "tel+X2U" "!^.*$!tel:+46317014213!"
> > with dnssec we have a secure, relative small and lightweight lookup
> > mechanism for things that looks like domain names
>
> so far, with dnssec, we have something that is complex, is not well
> understood, does not have a documented threat model, and is not yet
> deployable. why don't we pile more <bleep> on it to improve the
> situation?
the CERT and KEY and RR (except the keys used dnssec itself) is not more
dependent of dnssec than A6, DNAME or NAPTR. we continue to discuss and
standardize these mechanism even without fully understanding dnssec. as
long as we try to keep the new <bleep> separate (e.g. different naming
and/or type for keys used for applications, certificates etc), we can
handle this.
jakob
--
Jakob Schlyter <jakob@crt.se> Network Analyst
Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology