To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Mon, 20 May 2002 21:45:08 -0400
In-reply-to:
Your message of "Fri, 12 Apr 2002 13:25:08 +0200." <Pine.OSX.4.44.0204121314510.434-100000@criollo.schlyter.pp.se>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Jakob" == Jakob Schlyter <jakob@crt.se> writes: >> On Sat, 6 Apr 2002 09:34:01 -0500, Greg Hudson wrote (in part): >> > But you probably want to have multiple keys associated with a domain. >> > That means they either have to be of different types (see below), or >> > we'd have to do srv-style name mangling, which nobody in the DNS working >> > group is very happy about. >> >> I would like to see [a reference to] a list of reasons why srv-style >> names cause unhappiness. I have subscribed to this list for a while, >> so a message-id is sufficient. Jakob> magic naming, which srv-style names are, isn't that beautiful. I'm Jakob> thinking more into using a combination of NAPTR & APPKEY, almost as in Jakob> draft-daigle-napstr-00.txt, e.g: Jakob> host.example.com. NAPTR 1 10 "p" "APPKEY+ipsec" "" ipsec.host.example.com. Jakob> ipsec.host.example.com. APPKEY ... Jakob> this would: Jakob> a) limit the size of the RR for host.example.com. Jakob> b) remove the magic naming hack c) double the latency of the lookups. d) uselessly increase the size of the reply if the name server becomes "smart" about fixing (c). e) seems really brittle in the face of CNAMEs or zones where there is a break at the point involved. Despite all these discussions, we have yet to hear any good rational for stopping our current practice of putting IPsec keys in the reverse zone at the leaves. I'm serious. You want us to invest time and money in changing something that works well for us, and yet there seems to be no payoff. Not even any clear tragedy of the commons or some externalized cost that we are missing. It seems that people are inventing ever more complicated systems to solve problems that nobody really has. (The argument against keys at the apex of the zone is well taken. But, IPsec never cares to do that. The only system that might care is HTTPS, and I am doubtful that there will be any converts) ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 Comment: Finger me for keys iQCVAwUBPOmmooqHRg3pndX9AQEcuQQAwzaNxifsoCcts4bjOtzc/JNHUAzv9oG0 QGrYqOsUoyrp2CRXrG5CDsFI+mrhDf6GG7r17p7xY2SPzo26n9iBITqukgfjmCbw y091Kp7QpJLWjpllkHO92U1GK5B/xZYeRr7FwxBgLXV6eiFRQ6ykAVReNyL8qVhG MwzC/kI7XMY= =r6tl -----END PGP SIGNATURE-----