[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cks-devl] Re: cks
|
From: |
Simon Josefsson |
|
Subject: |
Re: [cks-devl] Re: cks |
|
Date: |
Fri, 14 Jun 2002 20:40:02 +0200 |
|
User-agent: |
Gnus/5.090007 (Oort Gnus v0.07) Emacs/21.3.50 (i686-pc-linux-gnu) |
David Shaw <address@hidden> writes:
>> Consider e.g. finding key of user id 0x5C980097 by looking up
>> (0x5C980097.keyserver.cryptnet.net, IN, CERT). One benefit from this
>> is that by simply adding NS's for that DNS zone, you get server
>> fail-over without clients having to enter more than the
>> "keyserver.cryptnet.net" string. Clients also often selects the
>> closest server by measuring RTTs so you get better response times and
>> better server loads.
>
> ... and you can use DNS UPDATE to add signatures :)
I guess.
> Simon, can you point me to any examples of this sort of DNS record?
> Somehow I got the idea that RFC 2538 was being deprecated in favor of
> an alternate use of KEY.
RFC 2538 is still the standard. A new RR called APPKEY has been
discussed, but it isn't intended for certificates (just raw keys).
The RFC 2535 KEY RRwas intended for raw keys too, but that has
changed. There is discussions (flamewars) on address@hidden about
this, I believe there are archives somewhere.
Implementing this as a proof of concept could provide input to the
discussions, and also be rather fun.