KEY RR, was Re: CERTificates and public keys

[Edward Lewis <lewis@tislabs.com>]

At 1:57 PM -0400 9/4/01, Dan Massey wrote:
>Perhaps we have some consensus on at least one point.  Does anyone object
>to restricting the KEY so it only holds DNS keys?

I would word this as the KEY RR "SHOULD" be restricted to DNSSEC - as
opposed to MUST.  The only problem with the KEY RR holding application keys
is the limitation on protocol numbers and the flags.  It's possible to
squeeze other keys in there, but I wouldn't recommend it.  (It's not like a
KEY RR is *unable* to hold application keys.)


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.