Using $GENERATE on KEY & TXT RRs?

David Terrell dbt at meat.net
Fri Aug 2 23:07:40 UTC 2002


On Fri, Aug 02, 2002 at 05:57:51PM -0400, Michael Richardson wrote:
> 
> 
> >>>>> "Matt" == Matt Larson <mlarson at verisign.com> writes:
>     >> What would it take to change the code so that it also supports
>     >> KEY & TXT RRs?
> 
>     Matt> $GENERATE is not applicable to KEY:
>     Matt> draft-ietf-dnsext-restrict-Key-for-dnssec deprecates all non-DNSSEC uses
>     Matt> for KEY, confining that type to the zone apex.  The DNSSEC document
> 
>   Matt, that's a draft. It isn't gospel.

Dollars to donuts, it will be gospel.  Adding IPSEC/TLS/SSH keys
to the KEY record means you sling a lot of extra data around in DNS
when you're just trying to do DNSSEC verifies; enough to likely 
break DNSSEC.
(you can't put KEY subtype in the question section....)

-- 
David Terrell             | "When I take action I'm not going to
Prime Minister, Nebcorp   | fire a $2 million missile at a $10 empty
dbt at meat.net              | tent and hit a camel in the butt. It's
http://wwn.nebcorp.com/   | going to be decisive." - George W. Bush


More information about the bind-workers mailing list