OID and other nonexisting resource records...

Gunther Schadow gunther at aurora.rg.iupui.edu
Tue Jun 27 00:39:25 UTC 2000


Hi,

I have a few questions to those who understand the tradition of DNS
and might have a feeling about its future. I'll make three short 
questions out of it:

(1) Has there ever been a resource record for ISO OIDs proposed for DNS? 

(2) Why is X.500/LDAP needed when DNS exists?

(3) With KEY and CERT records today, will DNS be a common widely used 
means for public key and certificate distribution beyond what's needed
for secure DNS operation?


Ad 1) It would seem as if one could use the DNS to resolve OIDs and
to allow tying the OID hierarchy together.  Otherwise you are pretty
hosed when trying to resolve 2.16.840.1.113883 an impossible endeavor. 
With DNS, an OID would behave just like a domain. At the end, each OID 
domain has either an authoritative name server assigned, or some 
cleartext name, e-mail, and 3-d world contact address for it. The 
existing DNS infrastructure could thus be used to work with OIDs. Of
course, whether ISO would be willing to use such a profane protocol
as DNS to publish root authority information is another story. :-)

Ad 2) I probably have an answer: because X.500 is able to associate
multiple attributes (tag-value pairs) to nodes in the name-graph
while DNS traditionally has only one short piece of information for
each entry. But why not make an attribution DNS record, that can 
associate these name-value pairs as well? For instance, it could be 
some small piece of XML? Is there any DNessiquette that would not 
allow DNS resource values to exceed a certain small number of bytes?
Why would you want that? Well, at some point consolidating of 
functionality around one protocol suite might reduce maintenance
and operating expenses.

Ad 3) This question is very real. I wonder which way to go for 
IPsec communication. So far I haven't got the feeling which key-
distribution mechanism will prevail? All I've seen is that IPsec 
implementation require you to configure keys pretty manually (by 
typing them in!) or use peculiar protocols. What will the de facto
standard be? Is DNS considered a credible and likely option? 

any hints or references (FAQ? papers?) are appreciated,
thank you,
-Gunther

-- Binary/unsupported file stripped by Listar --
-- Type: text/x-vcard
-- File: gunther.vcf
-- Desc: Card for Gunther Schadow




More information about the bind-users mailing list