[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Wesley Griffin <wgriffin@tislabs.com>
Cc: dnssec@cafax.se
From: Dan Massey <masseyd@isi.edu>
Date: Fri, 6 Jul 2001 16:29:26 -0400
Content-Disposition: inline
Delivery-Date: Sun Jul 8 21:39:21 2001
In-Reply-To: <20010706155831.A5167@tislabs.com>; from wgriffin@tislabs.com on Fri, Jul 06, 2001 at 03:58:37PM -0400
Sender: owner-dnssec@cafax.se
User-Agent: Mutt/1.2.5i
Subject: Re: SSH keys in DNS

On Friday, July 06, 2001 at 03:58PM, Wesley Griffin wrote:
| So I've been working on modifying the OpenSSH client to lookup host keys
| via DNS and I've run into an issue with the KEY record and
| protocol/algorithm octects.
| 
| SSH has 2 protocols: version 1 and version 2.  The v1 protocol uses RSA
| for host keys, and the v2 protocol uses both DSA and RSA for host keys.
| I don't know how other clients work, but the OpenSSH client uses a
| different RSA key for the v1 key and v2 key.
| 
| Initially I wrote the secsh-dns-key-format-00 draft to request only a
| single protocol value from IANA for the DNS KEY record. The problem is
| that when a v1 RSA key and v2 RSA key are both put in DNS, the protocol
| distinction is lost.
| 
| I thought that perhaps the way to proceed would be to request 2 protocol
| values from IANA: an SSHv1 protocol value and SSHv2 protocol value. But
| I'm wondering if since it is still the SSH protocol, just a different
| version, whether this is the appropriate method.
| 

No, I don't think this is not appropriate.  It puts too much application 
specific information into the KEY record and having two protocol values 
for SSH starts a bad trend in this area.

Right now, at worst, you get two RSA keys for ssh.  Try the first RSA
key and if matches the key presented by the host then you are done.
Otherwise try the second RSA key.  

Also, a server could choose to use the same RSA key for both v1 and v2 
so then there is only one SSH RSA key in the DNS if this is concern.  

Dan

Home | Date list | Subject list