On Thu, Apr 02, 2015 at 12:45:01AM -0400, Paul Wouters wrote:
> My problem is not with base32, it is with your suggested split and using
> a "." (or was it "\." and who knows what the difference is?)
Naturally the former, as the idea would be to create two labels,
not a label with a ".".
> I fear will cause interop issues. If we can do lossless encoding using
> gzip then base32 or something.
Gzip is not very good with short strings, you'd need enough data to
warrant the overhead. Mostly you lose:
$ echo viktor.dukhovni | wc -c
16
$ echo viktor.dukhovni | gzip -c | wc -c
36
$ echo Gabriel.Jose.de.la.Concordia.Garcia.Marquez | wc -c
44
$ echo Gabriel.Jose.de.la.Concordia.Garcia.Marquez | gzip -c | wc -c
62
If the goal is primarily not to supporting key "discovery" (security
for first contact when one is not even sure of the address), but
rather primarily key lookup for addresses known to be canonical
(thus iPhone capitalization e.g. is moot, since it will find an
address-book match I expect), then DNS not being able to find
keys for variant names is fine, and we don't need lossless encodings.
As for how people will publish their zones, we simply cant't predict
what any particular domain will do, but we can be sure everything
that can be done will be done by someone.
Cloudflare's hosting of www.ietf.org uses online signing with P-256.
Note that for non-existent names they return NODATA rather than
NXDOMAIN (and the NSEC RRs claim to have all the standard RR types
other than the one you ask for):
$ dig +noall +comment +ans +auth +nocl +nottl +nosplit +dnssec -t tlsa
vvv.ietf.org.cdn.cloudflare-dnssec.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27653
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
cloudflare-dnssec.net. SOA ns1.cloudflare-dnssec.net.
dns.cloudflare.com. 2017357885 10000 2400 604800 3600
vvv.ietf.org.cdn.cloudflare-dnssec.net. NSEC
\003.vvv.ietf.org.cdn.cloudflare-dnssec.net. A WKS HINFO MX TXT AAAA LOC SRV
CERT SSHFP IPSECKEY RRSIG NSEC HIP TYPE61 SPF
$ dig +noall +comment +ans +auth +nocl +nosplit +dnssec -t a
vvv.ietf.org.cdn.cloudflare-dnssec.net.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59135
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
cloudflare-dnssec.net. SOA ns1.cloudflare-dnssec.net.
dns.cloudflare.com. 2017357885 10000 2400 604800 3600
vvv.ietf.org.cdn.cloudflare-dnssec.net. NSEC
\003.vvv.ietf.org.cdn.cloudflare-dnssec.net. WKS HINFO MX TXT AAAA LOC SRV CERT
SSHFP IPSECKEY RRSIG NSEC TLSA HIP TYPE61 SPF
Power-DNS is often configured to to online signing and to return
less radically creative "narrow-mode" NSEC3 RRs, (signature of
[hash-1, hash+1] interval).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
