OpenPGP data in the CERT RR

David Shaw dshaw at jabberwocky.com
Wed Aug 7 07:03:02 CEST 2002


On Wed, Aug 07, 2002 at 01:50:29AM +0200, Simon Josefsson wrote:
> David Shaw <dshaw at jabberwocky.com> writes:
> 
> > 4 byte keyid:
> > 0x99242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
> >
> > 8 byte keyid:
> > 0x1DB698D7199242560.whatever.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.
> 
> When trying to formalize this, it became clear that there is a problem
> with this approach too.  What are you supposed to do when there IS a
> collision?  You can only have one CNAME per owner name.
> 
> Some alternative solutions.  I'm prefer 1.  Opinions?
> 
> 1) Don't use CNAME at all.
> 
> 0x99242560.whatever.com. IN PGP ...
> 0x99242560.whatever.com. IN PGP ...unrelated data due to collision
> 0x1DB698D7199242560.whatever.com. IN PGP ...
> 0x01230123099242560.whatever.com. IN PGP ...4b collision
> 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org. IN PGP ...
> 
> I don't think the space waste will be serious because 1) I don't think
> it will be common to ask for the same data using different KeyID
> lenghts, so caches will only store one version anyway and 2) the zone
> will be served from a database.

I agree.  Especially since the zone is being served from a database,
so the RRs are created on demand, this is the most flexible method.

However, I don't think there should be any rule against using CNAMEs
when appropriate.  For example, I control my own DNS - I could put
something like this into my zone:

dshaw.jabberwocky.com. IN CNAME 0x7D92FD313AB6F3734CC59CA1DB698D7199242560.dnskeys.example.org.

As long as I did not have another 'dshaw.jabberwocky.com' RR, I could
then point to the copy of my key on the keyserver without having to
store it and keep it up to date myself.

David

-- 
   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson




More information about the Gnupg-devel mailing list