[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] new revision of draft



Hello,

	Some remarks about the draft:

>1.1 Overview
>
>   The IPSECKEY resource record (RR) is used to publish a public key
>   that is to be associated with a Domain Name System (DNS) name.  It
>   will be a public key as only public keys are stored in the DNS.  This
>   can be the public key of a host, network, or application (in the case
>   of per-port keying).

Can you be more accurate about public key for an application and
pert-port keying ?

>2.2 RDATA format - algorithm type
>
>   The algorithm type field indicates the type of key that is present in
>   the public key field.  A positive number, larger than 0 identifies an
>   algorithm type.  The values are the same as those defined for DNS
>   Security Algorithm Numbers ([6]).
>
>   A value of 0 indicates that no key is present.
>
>   The following values defined by IANA are useful:
>
>   3  A DSA key is present, in the format defined in [7]
>
>   5  A RSA key is present, in the format defined in [8]

>2.4 RDATA format - RSA public key
>
>   If the algorithm type has the value 1, then public key portion
                                        ^
                                        5 ?

>2.5 RDATA format - DSA public key
>
>   If the algorithm type has the value 2, then public key portion
                                        ^
                                        3 ?

>3.1 Representation of IPSECKEY RRs
>
>   IPSECKEY RRs may appear as lines in a zone data master file.  The
>   precedence, algorithm and gateway fields are mandatory.  There base64
>   encoded public key block is optional.

>   If no gateway is to be indicated, then the root (".") should be used.

Sorry, I am a bit lost here. Do you mean a gateway *field* is REQUIRED,
though a gateway address is optional (according to section 2.1) ? Also
section 2.1 does not state public key is optional. May be section 2.1
should say something like 'gateway is mandatory but can be self "(.)",
and key is mandatory in the case gateway is self and optional in the
other cases' ?

--
Jean-Jacques
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.