David Terrell dbt at
Fri Aug 2 23:07:40 UTC 2002

On Fri, Aug 02, 2002 at 05:57:51PM -0400, Michael Richardson wrote:
> >>>>> "Matt" == Matt Larson <mlarson at> writes:
>     >> What would it take to change the code so that it also supports
>     >> KEY & TXT RRs?
>     Matt> $GENERATE is not applicable to KEY:
>     Matt> draft-ietf-dnsext-restrict-Key-for-dnssec deprecates all non-DNSSEC uses
>     Matt> for KEY, confining that type to the zone apex.  The DNSSEC document
>   Matt, that's a draft. It isn't gospel.

Dollars to donuts, it will be gospel.  Adding IPSEC/TLS/SSH keys
to the KEY record means you sling a lot of extra data around in DNS
when you're just trying to do DNSSEC verifies; enough to likely 
break DNSSEC.
(you can't put KEY subtype in the question section....)

David Terrell             | "When I take action I'm not going to
Prime Minister, Nebcorp   | fire a $2 million missile at a $10 empty
dbt at              | tent and hit a camel in the butt. It's   | going to be decisive." - George W. Bush

More information about the bind-workers mailing list