To:
Edward Lewis <lewis@tislabs.com>
Cc:
keydist@cafax.se
From:
Greg Hudson <ghudson@MIT.EDU>
Date:
27 Dec 2001 12:10:57 -0500
Delivery-Date:
Thu Dec 27 18:11:02 2001
In-Reply-To:
<v03130301b850fd3a4f53@[199.171.39.21]>
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
On Thu, 2001-12-27 at 11:40, Edward Lewis wrote:
> P.S. For the record, I am not convinced that application keys should be
> elsewhere other than DNS, nor am I convinced that they do belong in DNS. I
> do still lean towards DNS as a candidate, but am open to other ideas at
> this point. (Why belongs in another thread...)
There is a compromise of sorts, which is to distribute keys via some key
server protocol (either a new protocol or a profile or some existing
protocol), but allow the key server's master key to be distributed via
DNS using some new RR type. This is perhaps the most complex of both
worlds for the task of fetching keys, but it has the advantages that:
* You can still chain DNSSEC trust to application keys.
* You don't have to have multiple keys in the same RR set.
* You don't have to bend the DNS namespace by querying for a different
name than the domain you're asking about.
* You don't have to create a new RR type for each application.
There are still some issues; for instance, if MIT wants to run a single
key server for the ssh keys for all of its machines, then if you ssh to
foo.bar.mit.edu, either ssh has to somehow by clever enough to look for
the key server records for mit.edu, or MIT needs to have some kind of
wildcard record (or just lots of duplicate records) for each host.
There would also still be some objections in the DNS group, e.g.
Hallam-Baker opposed the notion of chaining DNSSEC trust to applications
on security grounds (noting that even if a site doesn't use these
records, their DNS servers might become a point of attack against
important applications when it wasn't before). And the Randy Bush
element, which opposes, well:
> At 11:29 AM -0500 12/27/01, Randy Bush wrote:
> >far far from it. there is a very long history before folk trying to
> >throw non-dns data into the dns.
Mmm, rhetoric. You can't put "non-dns data into the dns", by the most
intuitive definition of "dns data." You can certainly data in the DNS
which isn't related to hostname to IP address mapping or service
locations or anything else which DNS is commonly used for right now;
that would be better described as putting "new types of data into the
dns."