To:
Keith Moore <moore@cs.utk.edu>
Cc:
keydist@cafax.se
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Wed, 12 Jun 2002 20:31:05 +0200
In-Reply-To:
<B92CD60F.CA06%david.conrad@nominum.com> (David Conrad'smessage of "Wed, 12 Jun 2002 10:42:23 -0700")
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090007 (Oort Gnus v0.07) Emacs/21.2.90(i686-pc-linux-gnu)
Subject:
Re: Global PKI on DNS?
David Conrad <david.conrad@nominum.com> writes: > Keith, > > On 6/11/02 9:36 PM, "Keith Moore" <moore@cs.utk.edu> wrote: >> okay, first the fact that DNS RRs aren't very extensible, > > CERT RRs are implemented in recent versions of all DNS servers I'm aware of. > >> so if you want to cram something new that doesn't quite fit then you have >> an upgrade problem. > > Older versions of BIND do have difficulties with RR types they don't > understand. However, older versions of BIND also have difficulties keeping > user supplied data within buffers, so perhaps upgrading to current versions > would be a good idea in any case. New versions of BIND and most other DNS > servers I'm aware of, allow for "unknown" RRs. Furthermore, the "upgrade" "problem" only affects those people that wants to use certificates in DNS, thus it is not a "problem" them (or anyone else). If you don't want to use CERT RRs you don't need to upgrade your DNS server! If you want to use CERT RRs you need to upgrade your DNS server! I find it truly amazing that those two statements could possibly be perceived as a design problem. It is what most people expect when they bring in a new feature.