To:
Derek Atkins <warlord@MIT.EDU>
Cc:
Edward Lewis <lewis@tislabs.com>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Fri, 31 Aug 2001 16:57:15 +0200 (MEST)
Delivery-Date:
Fri Aug 31 20:35:31 2001
In-Reply-To:
<sjmvgj4tk3q.fsf@rcn.ihtfp.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
On 31 Aug 2001, Derek Atkins wrote: > CERT records _DO_NOT_ imply X.509. A CERT record gives you the > ability to store key information in the DNS in parallel to the DNSSec > keying material. This way a DNSSec client WILL NOT get confused. correct, but cert implies that it contains a public key and a signature. > Assume you store your ssh key as a KEY record. Assume your ssh host > happens to have the same A record as your zone. Now what? It implies > that you have your SSH "KEY" and your Zone "KEY". How does the SSH > client know which "KEY" to use? Worse, what would happen if a DNSSec > client tries to use the wrong "KEY"? the ssh client looks at the key protocol field and only useses the ssh key. also, you do not have to store the ssh host at the same name as the hostname - owner names as _ssh._tcp.host.example.net as been discussed to reduce the size of the RRset get back when querying for a specific key. > If SSH key (signed or not) were stored in a CERT record, the clearly > the SSH client would not get confused, and the DNSSec client would not > get confused. the ssh client would be as confused as with multiple other cert records at the same owner name. this is what the certificate type value is used for. > True, and quite honestly you can use the CERT record for this, too. I > mean, PGP isn't X.509 but there is a PGP Key binding for CERT RRs, no? pgp is a certificate so cert is very appropriate. > How can this be if CERT implies X.509? Obviously there is no such > requirement on the CERT record. I stand corrected. jakob