Re: SSH keys in DNS

["Scott Rose" <scottr@antd.nist.gov>]

I would suggest against adding another field to the KEY record just to
benifit a few protocols (version field).

Assigning two separate protocol values would be somewhat better, but the
idea of using a SRV like nameing scheme for KEY RRs sounds like a better
path.  That way there would be a distinct name for each KEY record:

_ssh1.example.com             and
_ssh2.example.com

In my opinion - cleaner and easier for the code to implement (assuming
standard protocol values).  The protocol field in these cases is still open
to definition, but some in the WG like the idea of defining a default
constant (to stand for "uses _protocol.name" convention).



> So I've been working on modifying the OpenSSH client to lookup host keys
> via DNS and I've run into an issue with the KEY record and
> protocol/algorithm octects.
>
> SSH has 2 protocols: version 1 and version 2.  The v1 protocol uses RSA
> for host keys, and the v2 protocol uses both DSA and RSA for host keys.
> I don't know how other clients work, but the OpenSSH client uses a
> different RSA key for the v1 key and v2 key.
>
> Initially I wrote the secsh-dns-key-format-00 draft to request only a
> single protocol value from IANA for the DNS KEY record. The problem is
> that when a v1 RSA key and v2 RSA key are both put in DNS, the protocol
> distinction is lost.
>
> I thought that perhaps the way to proceed would be to request 2 protocol
> values from IANA: an SSHv1 protocol value and SSHv2 protocol value. But
> I'm wondering if since it is still the SSH protocol, just a different
> version, whether this is the appropriate method.
>
> Should there be a protocol version octect in the DNS KEY record?
> I don't know the best approach is, but would like to know what others
> think.
>
> --
> Wesley Griffin                                                  NAI Labs
> wgriffin at tislabs.com                                     443.259.2388