<<On Sat, 16 Aug 2008 08:25:33 +0200, Johansson Olle E <[EMAIL PROTECTED]> said:
> Getting [DNSsec] support into implementations also takes time, so this > might go hand-in-hand. It appears that I misspoke (miswrote?) earlier: the current DNSsec specification doesn't allow you to use DNSKEY records to store keys for anything else. So you'd have to fall back on a specially-formatted TXT record, or else get IETF to define a new TLSKEY record (and get all of the DNS implementations in the world to learn about it, a tall order). There's an interesting question as to where in the DNS you'd want to store the key record for xmpp federation. There are a three places you might want to try: 1) example.org 2) _xmpp-server._tcp.example.org 3) canonical-name-of-server.example.org (1) and (3) have the issue that it's unclear to what service the key actually belongs, and some organizations' policies may may (1) difficult. On the other hand, I'm not sure if the service-location specification allows for anything other than SRV records at (2), which is where I think makes the most sense. (However, this would have to be carefully specified to handle the case of multiple servers with different keys.) -GAWollman
