[Operators] [Fwd: Re: Secure Communications Week]

Garrett Wollman wollman at csail.mit.edu
Sat Aug 16 13:42:07 CDT 2008


<<On Sat, 16 Aug 2008 08:25:33 +0200, Johansson Olle E <oej at edvina.net> said:

> Getting [DNSsec] support into implementations also takes time, so this
> might go hand-in-hand.

It appears that I misspoke (miswrote?) earlier: the current DNSsec
specification doesn't allow you to use DNSKEY records to store keys
for anything else.  So you'd have to fall back on a
specially-formatted TXT record, or else get IETF to define a new
TLSKEY record (and get all of the DNS implementations in the world to
learn about it, a tall order).

There's an interesting question as to where in the DNS you'd want to
store the key record for xmpp federation.  There are a three places
you might want to try:

1) example.org
2) _xmpp-server._tcp.example.org
3) canonical-name-of-server.example.org

(1) and (3) have the issue that it's unclear to what service the key
actually belongs, and some organizations' policies may may (1)
difficult.  On the other hand, I'm not sure if the service-location
specification allows for anything other than SRV records at (2), which
is where I think makes the most sense.  (However, this would have to
be carefully specified to handle the case of multiple servers with
different keys.)

-GAWollman


More information about the Operators mailing list