To:
Scott Rose <scottr@antd.nist.gov>
Cc:
Wesley Griffin <wgriffin@tislabs.com>, DNSSEC <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Fri, 6 Jul 2001 22:59:28 +0200 (MEST)
Delivery-Date:
Sun Jul 8 21:39:24 2001
In-Reply-To:
<003701c1065c$c8511740$b9370681@antd.nist.gov>
Sender:
owner-dnssec@cafax.se
Subject:
Re: SSH keys in DNS
On Fri, 6 Jul 2001, Scott Rose wrote: > I would suggest against adding another field to the KEY record just to > benifit a few protocols (version field). > > Assigning two separate protocol values would be somewhat better, but the > idea of using a SRV like nameing scheme for KEY RRs sounds like a better > path. That way there would be a distinct name for each KEY record: > > _ssh1.example.com and > _ssh2.example.com I agree - based on discussion on this mailing-list, Ed Lewis has proposed that we allocate a protocol value that bascially says 'the protocol is encoded in the owner name'. this would typically lead us to a SRV type naming scheme and I think we also should include the transport (even if it for ssh currently only is tcp that is used). e.g. _ssh._tcp.host.example.com. IN KEY ... this will also give us something that looks like SRV-records, which I believe is, as to ease understanding, a good thing. in addition to that you might want to use different keys for different transports. as I understand, use can use a ssh protocol v2 RSA key with v1 and vice versa, the difference is what is it used for. I suggest we clarify this with the secsh wg. jakob -- Jakob Schlyter <jakob@crt.se> Network Analyst Phone: +46 31 701 42 13, +46 70 595 07 94 Carlstedt Research & Technology