OpenPGP data in the CERT RR

Simon Josefsson jas at
Wed Aug 7 02:49:01 CEST 2002

David Shaw <dshaw at> writes:

> 4 byte keyid:
> 8 byte keyid:

When trying to formalize this, it became clear that there is a problem
with this approach too.  What are you supposed to do when there IS a
collision?  You can only have one CNAME per owner name.

Some alternative solutions.  I'm prefer 1.  Opinions?

1) Don't use CNAME at all. IN PGP ... IN PGP ...unrelated data due to collision IN PGP ... IN PGP ...4b collision IN PGP ...

I don't think the space waste will be serious because 1) I don't think
it will be common to ask for the same data using different KeyID
lenghts, so caches will only store one version anyway and 2) the zone
will be served from a database.

2) Use CNAME's at 8byte and full fingerprint only. IN PGP ... IN PGP ...unrelated data due to collision IN CNAME 0x99242560 IN CNAME 0x99242560 IN CNAME 0x99242560

In some sense this saves space.  OTOH replies will be unnecessarily
large when 4byte collisions happen even if the 8b/full keyid is used.

More information about the Gnupg-devel mailing list