I was reading through IIM draft and noticed what I believe to be a syntax
problem. The draft in section 6.1.2 specifies that for dns verification
the record should be stored at keyfp._krs.example.com in KR type record,
and keyfp is base64.
Base64 is described in RFC3548 (btw - you need to specify if your use
of BASE64 is as described in section 3 of RFC3548 or section 4 - section4
is the one that is URL safe and you send keyfp to KRS server as GET
parameter; but most people when talking about BASE64 mean the encoding
described in section 3 of RFC3548). The encoding uses both upper and
lowercase latin alphabet and "=" sign. DNS records are however
case-insensitive and I think "=" is invalid character for host name.
I recommend that next version of the draft change to BASE16 (i.e. regular
hex) for "keyfp" in "keyfp._krs.example.com". Another possibility is to
just put fingerprint directly in dns record - its not that long anyway.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net