Using $GENERATE on KEY & TXT RRs?
David Terrell
dbt at meat.net
Fri Aug 2 23:07:40 UTC 2002
On Fri, Aug 02, 2002 at 05:57:51PM -0400, Michael Richardson wrote:
>
>
> >>>>> "Matt" == Matt Larson <mlarson at verisign.com> writes:
> >> What would it take to change the code so that it also supports
> >> KEY & TXT RRs?
>
> Matt> $GENERATE is not applicable to KEY:
> Matt> draft-ietf-dnsext-restrict-Key-for-dnssec deprecates all non-DNSSEC uses
> Matt> for KEY, confining that type to the zone apex. The DNSSEC document
>
> Matt, that's a draft. It isn't gospel.
Dollars to donuts, it will be gospel. Adding IPSEC/TLS/SSH keys
to the KEY record means you sling a lot of extra data around in DNS
when you're just trying to do DNSSEC verifies; enough to likely
break DNSSEC.
(you can't put KEY subtype in the question section....)
--
David Terrell | "When I take action I'm not going to
Prime Minister, Nebcorp | fire a $2 million missile at a $10 empty
dbt at meat.net | tent and hit a camel in the butt. It's
http://wwn.nebcorp.com/ | going to be decisive." - George W. Bush
More information about the bind-workers
mailing list