OpenPGP data in the CERT RR

[Simon Josefsson]

David Shaw <dshaw at jabberwocky.com> writes:

> 4 byte keyid:
> 0x99242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
>
> 8 byte keyid:
> 0x1DB698D7199242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.

When trying to formalize this, it became clear that there is a problem
with this approach too.  What are you supposed to do when there IS a
collision?  You can only have one CNAME per owner name.

Some alternative solutions.  I'm prefer 1.  Opinions?

1) Don't use CNAME at all.

0x99242560.whatever.com. IN PGP ...
0x99242560.whatever.com. IN PGP ...unrelated data due to collision
0x1DB698D7199242560.whatever.com. IN PGP ...
0x01230123099242560.whatever.com. IN PGP ...4b collision
0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org. IN PGP ...

I don't think the space waste will be serious because 1) I don't think
it will be common to ask for the same data using different KeyID
lenghts, so caches will only store one version anyway and 2) the zone
will be served from a database.

2) Use CNAME's at 8byte and full fingerprint only.

0x99242560.whatever.com. IN PGP ...
0x99242560.whatever.com. IN PGP ...unrelated data due to collision
0x1DB698D7199242560.whatever.com. IN CNAME 0x99242560
0x00000000099242560.whatever.com. IN CNAME 0x99242560 
0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org. IN CNAME 0x99242560

In some sense this saves space.  OTOH replies will be unnecessarily
large when 4byte collisions happen even if the 8b/full keyid is used.