Discover Cryptography News
FreeS/WAN: The KEY debate
The DNS (Domain Name Service) Working Group of the IETF (International Engineering Task Force) has decided to restrict the use of KEY records to DNSsec keys, and has published its intent in a Key-Restrict draft.
This draft is an attempt to solve the "sub-typing problem": once you have more than one type of KEY, for DNSsec and other purposes, how do you differentiate between these types?
Since Opportunistic Encryption (OE) is designed to rely on the KEY record to distribute IPsec public keys, the Working Group's decision affects the Linux FreeS/WAN project.
Michael Richardson, Linux FreeS/WAN programmer, opposes the measures outlined in the draft. He commented, "[a]ny proposal that removes functionality without offering an immediate alternative is a complete and total non-starter." Notably, the draft does not suggest an alternative to the KEY record for other interests (for example IPsec and SSH) who are using, or would like to use, the KEY RR to distribute other information essential to network communications.
Scott Rose remarked on the proposed solution:
- Restricting KEY to DNSSEC only does solve the sub-typing problem - for DNSSEC. For everything else that wishes to use the DNS to store keys (IPSec and SSH are the only 2 that come to mind). APPKEY faced the same problem - it just pushed the subtyping problem off to all the other protocols and left DNSSEC as the lucky one.
- If it is good to restrict KEY to DNSSEC, then having a separate RR type for any other public key is a good idea too.
- My recollection of reading the OE draft was that you needed additional information above and beyond what was provided by the KEY record. In particular, IIRC, you needed a pointer to the gateway and the network size to use. This would be the perfect opportunity to combine this all into a single record!
- a BOF [in Atlanta] about using DNS to support other applications and set up a general framework/process for getting any type of network information in the DNS. Not just keys.
- For another month or so, I can change how Opportunistic Encryption works. It will be painful, but we can do it.
If the change is not proposed now, then we will continue deploying with the status quo, which is well supported.
The link for this article located at FreeS/WAN Project is no longer available.