On Wed, 23 Apr 2014, Mark Andrews wrote:
CERT also uses sub-typing, so you might end up getting all kind of types of certificates (like a PKIX cert) that you don't want or need. Granted, the _openpgpkey. prefix would at least prevent the non-malicious contamination, but you might still get all kinds of weird stuff. From what I understood, sub-typing was what really killed the CERT record, and everyone since has been strongly urged to stay away from sub-typing, and told to use _prefix. instead.Then you have failed to understand RFC 5507.
Hmm, I read from RFC 5507" When storing data in the DNS for a new application, the goal must be to store data in such a way that the application can query for the data it wants, while minimizing both the impact on existing applications and the amount of extra data transferred to the client. This implies that a number of design choices have to be made, where the most important is to ensure that a precise selection of what data to return must be made already in the query. To me that reads as "don't do sub-typing" because the query cannot request the single type it is interested it, and can only get the full list.
The CERT record also does not offer a nice presentation format for the zone file. The RFC states: smith IN CERT PGP 0 0 <OpenPGP binary>CERT records have base64 as the presentation format of the binary blob.
The line above here containing "smith" comes straight from that same RFC, so that's a little confusing then :P I did not read "<OpenPGP binary>" as "base64" :P Maybe we should file an errata (if people cared about CERT) Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
