Public storage for public keys

Theo Schlossnagle jesus at omniti.com
Wed Jan 16 07:21:43 EST 2002


On Monday, January 14, 2002, at 08:33  PM, Frank Cusack wrote:
> On Mon, Jan 14, 2002 at 03:24:08PM -0800, Jason Stone wrote:
>> You _could_ use DNSSEC to distribute the keys, and I'm interested in 
>> why
>> this ended up being rejected?
>
> I'm not that familiar with dnssec, is it possible for the ssh client to
> know that dns lookups are via dnssec and not "just dns"?  If not, this
> sounds like a very bad idea.
>
> If there were a call getkeybyname() and that call only returned success
> if dnssec were used, that might be ok.  dunno.

I thought people might be interested in this.  One of the guys in my lab 
did a project on OpenSSH and DNSSEC integration for exactly this 
purpose.  It is sound.

http://www.cs.jhu.edu/~claudiu/projects/dnssecssh.html

--
Theo Schlossnagle
1024D/82844984/95FD 30F1 489E 4613 F22E  491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA  3D 90 B9 9F BE 27 24 E7




More information about the openssh-unix-dev mailing list