To:
"'Jakob Schlyter'" <jakob@crt.se>, Derek Atkins <warlord@MIT.EDU>
Cc:
Scott Rose <scottr@antd.nist.gov>, dnssec@cafax.se
From:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
Date:
Tue, 4 Sep 2001 13:29:35 -0400
Sender:
owner-dnssec@cafax.se
Subject:
RE: CERTificates and public keys
I think we need to bring back the "SINK" RR. Seriously, I do understand the utility of having a place in the DNS in which to put bare non-DNS keys (as opposed to bare DNS keys, which I think we all agree should stay in the KEY RR). However, if an application wants to use DNSSEC to provide authentication for its keys, that doesn't mean those keys need to go into (and end up complicating/overloading) the KEY RR. (Yes, I know that's what RFC2535 specifically allows--and I didn't like it the first time I read it.) We have three types of keys to deal with: - DNSSEC keys [handled in KEY RR] - Keys/certificates which include their own authentication information/methods, and which can benefit from (but do not rely on) DNSSEC [handled in CERT RR] - Keys for use by applications which do *not* include their own authentication information/methods, and which therefore rely on DNS/DNSSEC for any assurance. The third type has currently ended up under the KEY RR per RFC2535, but IMHO it should find a new home. Moving that third type to the CERT RR would cause confusion because these are *not* certificates that we're talking about now. Is it then better to leave the current CERT record intact, or to deprecate it entirely in favor of APPKEY? Personally I would prefer that there be only one type of record which DNS servers use to support "all the other keys" rather than having both CERT and APPKEY...it seems cleaner, and it allows DNS administrators (and implementors) to avoid worrying about the differences. If it's a DNSSEC key for the zone, then it goes into a KEY RR. If not, it goes into the other catch-all, and all the folks who want to do complicated neato whizbang things in applications can do those things outside of the DNS implementations. -- Rip Loomis Senior Systems Security Engineer SAIC Center for Information Security Technology > -----Original Message----- > From: Jakob Schlyter [mailto:jakob@crt.se] > Sent: Tuesday, 04 September, 2001 12:05 > To: Derek Atkins > Cc: Scott Rose; dnssec@cafax.se > Subject: Re: CERTificates and public keys > > > On 4 Sep 2001, Derek Atkins wrote: > > > No, a KEY record should ONLY be used for DNSSec keys. No > application > > keys should be put into KEY records. > > rfc 2535 specifies that KEY is to be used for both > applications and dnssec > itself. my APPKEY draft changes this and recommends that KEY > is deprecated > for all other protocol values than dnssec. > > jakob >