To:
dnssec@cafax.se
From:
Wesley Griffin <wgriffin@tislabs.com>
Date:
Fri, 6 Jul 2001 15:58:37 -0400
Content-Disposition:
inline
Delivery-Date:
Sun Jul 8 21:39:20 2001
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
SSH keys in DNS
So I've been working on modifying the OpenSSH client to lookup host keys via DNS and I've run into an issue with the KEY record and protocol/algorithm octects. SSH has 2 protocols: version 1 and version 2. The v1 protocol uses RSA for host keys, and the v2 protocol uses both DSA and RSA for host keys. I don't know how other clients work, but the OpenSSH client uses a different RSA key for the v1 key and v2 key. Initially I wrote the secsh-dns-key-format-00 draft to request only a single protocol value from IANA for the DNS KEY record. The problem is that when a v1 RSA key and v2 RSA key are both put in DNS, the protocol distinction is lost. I thought that perhaps the way to proceed would be to request 2 protocol values from IANA: an SSHv1 protocol value and SSHv2 protocol value. But I'm wondering if since it is still the SSH protocol, just a different version, whether this is the appropriate method. Should there be a protocol version octect in the DNS KEY record? I don't know the best approach is, but would like to know what others think. -- Wesley Griffin NAI Labs wgriffin at tislabs.com 443.259.2388