OpenPGP data in the CERT RR
David Shaw
dshaw at jabberwocky.com
Wed Aug 7 07:03:02 CEST 2002
On Wed, Aug 07, 2002 at 01:50:29AM +0200, Simon Josefsson wrote:
> David Shaw <dshaw at jabberwocky.com> writes:
>
> > 4 byte keyid:
> > 0x99242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
> >
> > 8 byte keyid:
> > 0x1DB698D7199242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
>
> When trying to formalize this, it became clear that there is a problem
> with this approach too. What are you supposed to do when there IS a
> collision? You can only have one CNAME per owner name.
>
> Some alternative solutions. I'm prefer 1. Opinions?
>
> 1) Don't use CNAME at all.
>
> 0x99242560.whatever.com. IN PGP ...
> 0x99242560.whatever.com. IN PGP ...unrelated data due to collision
> 0x1DB698D7199242560.whatever.com. IN PGP ...
> 0x01230123099242560.whatever.com. IN PGP ...4b collision
> 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org. IN PGP ...
>
> I don't think the space waste will be serious because 1) I don't think
> it will be common to ask for the same data using different KeyID
> lenghts, so caches will only store one version anyway and 2) the zone
> will be served from a database.
I agree. Especially since the zone is being served from a database,
so the RRs are created on demand, this is the most flexible method.
However, I don't think there should be any rule against using CNAMEs
when appropriate. For example, I control my own DNS - I could put
something like this into my zone:
dshaw.jabberwocky.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
As long as I did not have another 'dshaw.jabberwocky.com' RR, I could
then point to the copy of my key on the keyserver without having to
store it and keep it up to date myself.
David
--
David Shaw | dshaw at jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
More information about the Gnupg-devel
mailing list