Limiting the Scope of the
KEY Resource Record
draft-ietf-dnsext-restrict-key-for-dnssec-04.txt
| Dan Massey, Scott Rose | |
| IPSECKEY BOF 55th IETF | |
| Atlanta GA |
| KEY RR now restricted to DNSSEC protocol only | |||
| No Subtyping of KEY RR | |||
| All other protocols (IPSEC, email, etc.) obsolete and must not be used to store key material | |||
| All flags bits, except one, now obsolete | |||
| “zone key” bit (bit 7 – backwards compatibility) | |||
| Why? | |||
| Avoid large keysets, especially at apex | |||
| Avoid subtypes of KEY RR | |||
| Including using SRV-like naming scheme | |||
| Separate administration of DNSSEC and Application keys | |||
| In RFC Editor’s Queue | |||
| No RFC number yet. | |||
| DNSSEC | |||
| New version of DNS Security Specs in WG | |||
| Focus on DNS only | |||
| Not mentioning other applications/key distribution as a service of DNSSEC | |||
| Not forbidding the storing of application key material in DNS either. | |||
Lessons Learned from DNS KEY RR (Or: Minefield Ahead!)
| Pitfalls to avoid when creating a new RR type to store application key material | |||
| Avoid Subtypes | |||
| Don’t assume DNSSEC is the right trust model | |||
| Define and Justify why DNS and/or DNSSEC makes sense to use in an already existing trust model. | |||
| Clearly state impact on the DNS | |||
| Should be “minimal” (i.e. Just a data RR like TXT) | |||
| Anything requiring a change will probably be a problem. | |||
| Good idea to include someone with DNS experience to consult on these issues. | |||