Using $GENERATE on KEY & TXT RRs?

Loomis, Rip GILBERT.R.LOOMIS at saic.com
Sat Aug 3 02:28:46 UTC 2002


> > Adding IPSEC/TLS/SSH keys to the KEY record means you
> > sling a lot of extra data around in DNS when you're just
> > trying to do DNSSEC verifies; enough to likely 
> > break DNSSEC.

> Why would DNSSEC break because of this?  If DNSSEC breaks
> because of unrelated data, perhaps DNSSEC should be fixed
> instead of forbidding the unrelated data.

First, I agree with Matt's recommendation to take the
discussion to namedroppers...but as another way to state what
Matt already stated quite well above, it's not that having
lots of non-DNSSEC info in KEY records "breaks DNSSEC".  It's
that having to sort through all the possible cruft at the top
of a zone and look for the "right" key causes the DNSSEC
signature verification process to take too long.  There's not
much IMHO that can realistically be done to engineer either
the software or the protocol to fix this...other than limiting
the KEY record as that I-D discusses, and using APPKEY or
something similar to store the non-DNS application keys.

If anyone sees any holes in my summary above...ask me on
namedroppers.

  --Rip


More information about the bind-workers mailing list