Paul Wouters <[email protected]> writes: >> Here are some thoughts, anyway: >> >> - Why a new DNS record despite that the CERT type has PGP support for >> 9 years now (RFC-4398). >> >> The argument for a new record is that this makes parsing easier >> because there is no need to loop over the record's sub-types. I do >> not consider it a valid argument because there is a need to loop >> anyway because there may be several DANE records for the same key. >> Adding an extra loop over the sub-types is a non-brainer and the >> selection logic to find the best matching record will be the same. > > Using subtypes for DNS is something the DNS people in general have > concluded to be a wrong idea. As stated before, even Olafur who is one > of the authors of the CERT RRtype advised us not to use CERT (or > subtyping in general)
Then I believe that community should attempt to move RFC 2538/4398 to historic. I don't believe there is sufficient consensus for doing that -- there is good use of CERT records already, although limited. > Additionally, because the CERT record is a meta-container record, > support for CERT is not good because to properly parse it you need > all of openpgp and all of x509 and all of what other subtypes would > be added later on. So instead of implementing CERT records partially, > many DNS implementations just did not bother with it at all. I disagree -- CERT can be implemented without understanding any of OpenPGP or X.509, and it is implemented by DNS software already. >> GnuPG has support for such CERT records including a script to create >> them also for about 9 years. It is not widely used because most users >> have no way to add records to their zone - that is the same problem >> for DANE of course. > > CERT wasn't widely used because frankly pgp is not widely used. Also, > CERT without DNSSEC makes no sense This is false -- CERT makes a lot of sense without DNSSEC, as OpenPGP keys can be verified through the web of trust. I don't believe comparing deployment sizes should be a deciding factor in this context, but I disagree with your notion that OpenPGP is not widely used. /Simon
signature.asc
Description: PGP signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
