Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype

[Peter Koch <pk@DENIC.DE>]

Hi,

On Fri, Nov 21, 2008 at 01:07:14PM -0600, Andrew Sullivan wrote:

>    D.   Motivation for the new RRTYPE application?
> 
>    	Storage of keying material in the DNS is currently limited to
>    	keys used for Secure DNS and transaction authentication. This
>    	is somewhat limiting. It is possible to store encrypted data

well, in conjunction with RFC3445 mentioned further below, this is rather
straightforward. We've learned about "subtyping" and it was clear that
any application in need of a key would have to define its own RR type,
likely based upon KEY.

>    	other RRtypes. A scheme for encrypting NAPTR records is
>    	outlined in draft-timms-encrypt-naptr-01. Defining an RRtype

What worries me here is the actual application, that tries to introduce
confidentiality into the DNS.  The basic problem statement has been
regularily reappearing on namedroppers and might be worth pursuing,
but I'd consider taht a DNS architectural matter.  Doing this en passant
with an RR type definition appears a bit like introducing the death
sentence by standardizing the blades of the Guillotine.

>    	protocol field set to 1. Further details about the record
>    	format and its potential applications is given in
>    	draft-reid-dnsext-rkey-00.txt.

The draft indicates it is seeking "Standards Track" publication.  If that
is intentional, why is an Expert Review necessary aat this stage?
Independent of this question, 2929bis does not require a stable
reference and a draft mentioned here might just expire.  I'm not sure
this is a good idea.

-Peter

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>