Simon Josefsson simon+bind9-workers at
Fri Aug 2 23:17:26 UTC 2002

David Terrell <dbt at> writes:

> On Fri, Aug 02, 2002 at 05:57:51PM -0400, Michael Richardson wrote:
>> >>>>> "Matt" == Matt Larson <mlarson at> writes:
>>     >> What would it take to change the code so that it also supports
>>     >> KEY & TXT RRs?
>>     Matt> $GENERATE is not applicable to KEY:
>>     Matt> draft-ietf-dnsext-restrict-Key-for-dnssec deprecates all non-DNSSEC uses
>>     Matt> for KEY, confining that type to the zone apex.  The DNSSEC document
>>   Matt, that's a draft. It isn't gospel.
> Dollars to donuts, it will be gospel.  Adding IPSEC/TLS/SSH keys
> to the KEY record means you sling a lot of extra data around in DNS
> when you're just trying to do DNSSEC verifies; enough to likely 
> break DNSSEC.

Why would DNSSEC break because of this?  If DNSSEC breaks because of
unrelated data, perhaps DNSSEC should be fixed instead of forbidding
the unrelated data.

More information about the bind-workers mailing list