To:
Jakob Schlyter <jakob@crt.se>
cc:
Ólafur Guðmundsson <ogud@ogud.com>, Derek Atkins <warlord@MIT.EDU>, Scott Rose <scottr@antd.nist.gov>, <dnssec@cafax.se>
From:
Simon Josefsson <simon+dnssec@josefsson.org>
Date:
Fri, 7 Sep 2001 00:01:11 +0200 (CEST)
In-Reply-To:
<Pine.BSO.4.33.0109062305200.10762-100000@fonbella.crt.se>
Sender:
owner-dnssec@cafax.se
Subject:
Re: CERTificates and public keys
On Thu, 6 Sep 2001, Jakob Schlyter wrote: > On Thu, 6 Sep 2001, Simon Josefsson wrote: > > > If APPKEY is supposed to be CERT Done Right, which I think would be a nice > > goal for it, should it repeat the presumed mistake of sub-typing? > > APPKEY does not _need_ sub-typing as it has fields both for protocol and > version (per protocol). Yes, isn't that what sub-typing means? The protocol field of APPKEY, and the certificate type field of CERT, is sub-typing DNS. A simple solution would be to define a RR that contained as RRDATA simply: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | / / keying material / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| And have the owner name as the "type" identifier. Then we'd have no sub-typing and no large RRsets. But I'm not sure the owner name rules are good, it seems more like a workaround rather than a real solution. The real solution would indeed to have one RR per application. Sub-typing within RRs is just a workaround because adding new types to DNS is "difficult". Maybe we should try to push the idea of using one RR per application instead, forcing applications to behave better, instead of using workarounds. On the other hand, having one RR per application is very bad for a resolver API. It would need one getsshkeybyname() etc, one for each application. Not good either. Ok, I'm out of ideas.