>Yes, but if anything, the document should recommend not to use online >DNSSEC signing for _openpgpkey zones. It would be a prime attack vector. >By using offline signing, no one can ever forge an OPENPGPKEY even if >they own the DNS server or the Mail server.
There's some assumptions here I'd like to unpack. One is the assumption that keys are all very valuable. Sure, some of them are, but some aren't. As an extreme example, consider something like [email protected], addresses intended to be used a few times and then discarded, where every address has little value and the associated keys would't be worth much either. Also, a rule like this doesn't help interoperation -- nobody talking to a DNS server can tell whether it's doing online or offline signing. DNSSEC allows online signing, it's going to continue to happen, and it's up to the server managers to assess their security issues, of which potential theft of DNSSEC keys is only one of many. I'd be more worried about users getting phished and bad guys using their credentials to upload PGP keys, replacing the users' own in the zone to be signed. Most important, there's the scale issue. Reports say that Yahoo has over 300,000,000 active mailboxes and Gmail has over 500,000,000. I gather the goal here is to make publishing your key cheap and easy, so let's posit modest success and say that 20% of Gmail users have keys. It looks to me like a typical PGP key is about 1.5K, so that's 100M keys at 1.5K or a zone file of about 150 gigabytes. The largest signed zone I'm aware of is .COM which as of yesterday is a little under 10GB before signing. Is it really plausible that anyone is going to generate and sign and serve static zones more than an order of magnitude bigger than .COM? That seems like a stretch. On the other hand, with base32 coding and the option of online signing, it should scale OK since the records in the zone are generated from the user database and signed as needed. R's, John _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
