To:
Edward Lewis <lewis@tislabs.com>
Cc:
keydist@cafax.se
From:
Greg Hudson <ghudson@MIT.EDU>
Date:
27 Dec 2001 12:10:57 -0500
Delivery-Date:
Thu Dec 27 18:11:02 2001
In-Reply-To:
<v03130301b850fd3a4f53@[199.171.39.21]>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
On Thu, 2001-12-27 at 11:40, Edward Lewis wrote: > P.S. For the record, I am not convinced that application keys should be > elsewhere other than DNS, nor am I convinced that they do belong in DNS. I > do still lean towards DNS as a candidate, but am open to other ideas at > this point. (Why belongs in another thread...) There is a compromise of sorts, which is to distribute keys via some key server protocol (either a new protocol or a profile or some existing protocol), but allow the key server's master key to be distributed via DNS using some new RR type. This is perhaps the most complex of both worlds for the task of fetching keys, but it has the advantages that: * You can still chain DNSSEC trust to application keys. * You don't have to have multiple keys in the same RR set. * You don't have to bend the DNS namespace by querying for a different name than the domain you're asking about. * You don't have to create a new RR type for each application. There are still some issues; for instance, if MIT wants to run a single key server for the ssh keys for all of its machines, then if you ssh to foo.bar.mit.edu, either ssh has to somehow by clever enough to look for the key server records for mit.edu, or MIT needs to have some kind of wildcard record (or just lots of duplicate records) for each host. There would also still be some objections in the DNS group, e.g. Hallam-Baker opposed the notion of chaining DNSSEC trust to applications on security grounds (noting that even if a site doesn't use these records, their DNS servers might become a point of attack against important applications when it wasn't before). And the Randy Bush element, which opposes, well: > At 11:29 AM -0500 12/27/01, Randy Bush wrote: > >far far from it. there is a very long history before folk trying to > >throw non-dns data into the dns. Mmm, rhetoric. You can't put "non-dns data into the dns", by the most intuitive definition of "dns data." You can certainly data in the DNS which isn't related to hostname to IP address mapping or service locations or anything else which DNS is commonly used for right now; that would be better described as putting "new types of data into the dns."