OpenPGP data in the CERT RR

Simon Josefsson jas at
Wed Aug 7 13:53:01 CEST 2002

Matthew Byng-Maddick <gnupg at> writes:

> On Wed, Aug 07, 2002 at 01:50:29AM +0200, Simon Josefsson wrote:
>> IN PGP ...
>                            ^^
>       Out of interest, why use the IN namespace at all?
> OpenPGP does not have to be "Internet Network" related, even though it
> is on the IETF standards-track.

It uses an already defined standards-track RR (CERT, RFC 2538) which
is in the IN class.  I guess we could define separate RRs, and there
might even be some advantages with that (no need to use owner name to
differentiate between certs and revocation data).  To define new RRs
in a different class would require defining a new class, and I don't
see what advantage that would give us, only lots of work.

> I also ought to register my dislike of the whole twisting of the DNS to
> serve up arbitrary PGP data. I'm really not fond of the use of CNAMEs and
> other such meaningful (for hosts at least) RRs to do this. Not that I have
> any influence, but it's a point of view. Especially as I know, off the top
> of my head at least one case where the "represent the email address as you
> would in an SOA" trick that you're talking about wouldn't work:
>   Ben Laurie's canonical email address is: ben at
>   try looking up the SOA RR for, and you'll find that it
>   exists.
> This is, IMHO, a showstopper for the use of CNAMEs.

Yes, it seems CNAMEs doesn't work.  But should it be forbidden?  David
demonstrated it does make sense in some cases.

I think the wording should be relaxed to simply say that you should
get back the certificate if you query a certain (NAME, CLASS, TYPE)
tuple.  If it is via CNAME indirection, so be it, although this should
probably not be the common case.

More information about the Gnupg-devel mailing list