To:
ghudson@MIT.EDU, jseng@pobox.org.sg
Cc:
keydist@cafax.se
From:
Walt Howard <howard@eng.utah.edu>
Date:
Tue, 9 Apr 2002 18:52:11 -0600 (MDT)
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
On Sat, 6 Apr 2002 09:34:01 -0500, Greg Hudson wrote (in part): > But you probably want to have multiple keys associated with a domain. > That means they either have to be of different types (see below), or > we'd have to do srv-style name mangling, which nobody in the DNS working > group is very happy about. I would like to see [a reference to] a list of reasons why srv-style names cause unhappiness. I have subscribed to this list for a while, so a message-id is sufficient. I offer the following reasons why they would be an advantage: If all I want is the ssh host key for a particular computer, I can query my DNS server for name ssh.appkey.particular.computer and type APPKEY. Then the reply needn't contain other appkeys or any other non-DNSSEC data for particular.computer. If you prefer, substitute CERT for APPKEY. The advantage is that the response may be smaller than if the name were only "particular.computer". A QTYPE of ANY, as used by older versions of sendmail, would not get the appkeys - it is unlikely to want them. If the ".appkey" part of the name were located between the hostname and the network name, then the appkeys could be served out of a separate zonefile. There has been some discussion that larger organizations want this feature; srv-style names make it possible. >>Walt