To:
keydist@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Mon, 20 May 2002 21:45:08 -0400
In-reply-to:
Your message of "Fri, 12 Apr 2002 13:25:08 +0200." <Pine.OSX.4.44.0204121314510.434-100000@criollo.schlyter.pp.se>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Jakob" == Jakob Schlyter <jakob@crt.se> writes:
>> On Sat, 6 Apr 2002 09:34:01 -0500, Greg Hudson wrote (in part):
>> > But you probably want to have multiple keys associated with a domain.
>> > That means they either have to be of different types (see below), or
>> > we'd have to do srv-style name mangling, which nobody in the DNS working
>> > group is very happy about.
>>
>> I would like to see [a reference to] a list of reasons why srv-style
>> names cause unhappiness. I have subscribed to this list for a while,
>> so a message-id is sufficient.
Jakob> magic naming, which srv-style names are, isn't that beautiful. I'm
Jakob> thinking more into using a combination of NAPTR & APPKEY, almost as in
Jakob> draft-daigle-napstr-00.txt, e.g:
Jakob> host.example.com. NAPTR 1 10 "p" "APPKEY+ipsec" "" ipsec.host.example.com.
Jakob> ipsec.host.example.com. APPKEY ...
Jakob> this would:
Jakob> a) limit the size of the RR for host.example.com.
Jakob> b) remove the magic naming hack
c) double the latency of the lookups.
d) uselessly increase the size of the reply if the name server becomes
"smart" about fixing (c).
e) seems really brittle in the face of CNAMEs or zones where there is a break
at the point involved.
Despite all these discussions, we have yet to hear any good rational for
stopping our current practice of putting IPsec keys in the reverse zone at
the leaves.
I'm serious. You want us to invest time and money in changing something
that works well for us, and yet there seems to be no payoff. Not even any
clear tragedy of the commons or some externalized cost that we are missing.
It seems that people are inventing ever more complicated systems to solve
problems that nobody really has.
(The argument against keys at the apex of the zone is well taken. But,
IPsec never cares to do that. The only system that might care is HTTPS, and I
am doubtful that there will be any converts)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPOmmooqHRg3pndX9AQEcuQQAwzaNxifsoCcts4bjOtzc/JNHUAzv9oG0
QGrYqOsUoyrp2CRXrG5CDsFI+mrhDf6GG7r17p7xY2SPzo26n9iBITqukgfjmCbw
y091Kp7QpJLWjpllkHO92U1GK5B/xZYeRr7FwxBgLXV6eiFRQ6ykAVReNyL8qVhG
MwzC/kI7XMY=
=r6tl
-----END PGP SIGNATURE-----