To:
Simon Josefsson <simon+dnssec@josefsson.org>
Cc:
Wesley Griffin <wgriffin@tislabs.com>, <dnssec@cafax.se>
From:
Roy Arends <Roy.Arends@nominum.com>
Date:
Fri, 6 Jul 2001 22:46:35 +0200 (CEST)
Delivery-Date:
Sun Jul 8 21:39:23 2001
In-Reply-To:
<ilupubd6c3d.fsf@barbar.josefsson.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: SSH keys in DNS
On Fri, 6 Jul 2001, Simon Josefsson wrote: > Wesley Griffin <wgriffin@tislabs.com> writes: > > > I thought that perhaps the way to proceed would be to request 2 protocol > > values from IANA: an SSHv1 protocol value and SSHv2 protocol value. But > > I'm wondering if since it is still the SSH protocol, just a different > > version, whether this is the appropriate method. > > > > Should there be a protocol version octect in the DNS KEY record? > > I don't know the best approach is, but would like to know what others > > think. > > Another solution is to encode the protocol version into the domain, > e.g.: > > _ssh2.server.example.org > > This approach seem to come up in many situations nowadays. Does > anyone have any opinions if the generic approach is good or bad? Jakob Schlyter and myself are working on a draft to store pgp-certs in the domain name system. It deals with some of the problems that exist if one would follow the RFC 2538 recommendations on storing PGP certs in the domain name system. We are using similar semantics. In the draft we recommend storing pgp-certs (that normally would have owner names similar to mailbox names) in a specific subdomain by the name of _pgp. For instance, the PGP key with key ID: "Roy Arends" <roy.arends@nominum.com> would be stored in the DNS as: roy.arends._pgp.nominum.com. CERT rdata This approach has its up and downsides. Upsides are for instance being able to store all pgp related material in a single subzone. Downsides are PGP specific, and have nothing to do with presentation format. The only thing I can think of is that when using this approach, one has to be careful with SRV clashes. Since PGP is an end user application it would probably be okay. But SSH is a specific protocol running on a specific port. If you can avoid clashing with SRV name presentations, please do so. But I see no problem in using multiple key's at an owner name. The protocol field of the KEY already implies ssh, and it would be expensive to allocate protocol types for specific version of 1 protocol. So why not allowing more then one KEY with protocol indication for SSH, and let the application deal with the specific version KEYs. PS. The draft mentioned will be out next week. Regards Roy Arends Nominum