[dnssec-deployment] Looking for lost generic application/ssl/fingerprint DNS record draft?

Dan Mahoney, System Admin danm at prime.gushi.org
Wed Nov 4 14:17:06 EST 2009

On Wed, 4 Nov 2009, Wes Hardaker wrote:

>>>>>> On Wed, 04 Nov 2009 16:39:52 +0000, Florian Weimer <fweimer at bfk.de> said:
> FW> RFC 4398.  There's still no chain from DNSSEC to transport or
> FW> application layer crypto, though.
> If everything is signed and you use a validating resolving library (of
> which there are a few) you can get secure bootstapping into the client.
> We've done this for OpenSSH, for example.

While I'm plugging a bit, I recently put out a HOWTO on the gnupg-users 
mailing list as to how to put your GPG keys into DNS, as well as a shell 
script that you can use to generate said records.


Pay close attention to the two types of CERT records and which to use. 
One contains the full-on cert, the other, just a fingerprint and a url. 
I detail the advantages/disadvantages in the doc.



--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the Dnssec-deployment mailing list