Re: SSH keys in DNS

[Olafur Gudmundsson <ogud@ogud.com>]

On Fri, 6 Jul 2001, Wesley Griffin wrote:

> So I've been working on modifying the OpenSSH client to lookup host keys
> via DNS and I've run into an issue with the KEY record and
> protocol/algorithm octects.
> 
> SSH has 2 protocols: version 1 and version 2.  The v1 protocol uses RSA
> for host keys, and the v2 protocol uses both DSA and RSA for host keys.
> I don't know how other clients work, but the OpenSSH client uses a
> different RSA key for the v1 key and v2 key.
> 

If my recollection of the SSH protocol is correct then server and client
offer up their own keys, all DNS is supposed to do is to 
create binding of the name in DNS to the key offered by that host.
If both keys are in DNS the that is good enough.


> Initially I wrote the secsh-dns-key-format-00 draft to request only a
> single protocol value from IANA for the DNS KEY record. The problem is
> that when a v1 RSA key and v2 RSA key are both put in DNS, the protocol
> distinction is lost.

That is the right way, the subtyping in application is not a dns 
problems. 
And I will make the argument if the protocol is not backward compatable
then it should be called something different. 

> 
> I thought that perhaps the way to proceed would be to request 2 protocol
> values from IANA: an SSHv1 protocol value and SSHv2 protocol value. But
> I'm wondering if since it is still the SSH protocol, just a different
> version, whether this is the appropriate method.

If SSHv1 and SSHv2 are non interoperable protocols then maybe they should
be using different name and run on different ports ;-) 

> 
> Should there be a protocol version octect in the DNS KEY record?
> I don't know the best approach is, but would like to know what others
> think.

No, we can not change the key record. 
At this point we have limited experiance with using application KEY 
records, lets see how things evolve and try to find out how to 
advice how to store keys and other information in DNS for applications. 

	Olafur