OpenPGP data in the CERT RR

David Shaw dshaw at
Wed Aug 7 07:03:02 CEST 2002

On Wed, Aug 07, 2002 at 01:50:29AM +0200, Simon Josefsson wrote:
> David Shaw <dshaw at> writes:
> > 4 byte keyid:
> >
> > 8 byte keyid:
> When trying to formalize this, it became clear that there is a problem
> with this approach too.  What are you supposed to do when there IS a
> collision?  You can only have one CNAME per owner name.
> Some alternative solutions.  I'm prefer 1.  Opinions?
> 1) Don't use CNAME at all.
> IN PGP ...
> IN PGP ...unrelated data due to collision
> IN PGP ...
> IN PGP ...4b collision
> IN PGP ...
> I don't think the space waste will be serious because 1) I don't think
> it will be common to ask for the same data using different KeyID
> lenghts, so caches will only store one version anyway and 2) the zone
> will be served from a database.

I agree.  Especially since the zone is being served from a database,
so the RRs are created on demand, this is the most flexible method.

However, I don't think there should be any rule against using CNAMEs
when appropriate.  For example, I control my own DNS - I could put
something like this into my zone: IN CNAME

As long as I did not have another '' RR, I could
then point to the copy of my key on the keyserver without having to
store it and keep it up to date myself.


   David Shaw  |  dshaw at  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

More information about the Gnupg-devel mailing list