On Wed, 23 Sep 2015, John R Levine wrote:
Sure, but once again you're no better off than if you got the key anywhere
else. I understand the argument for better key servers and maybe better ways
to discover key servers (a URI record should do it), but I don't understand
the argument for a whole new mechanism with new security, scaling, and
semantic problems.
Some people disagree with you and think DNSSEC is a viable PKI for their
intended use. These people want to use DNSSEC. We can give those people
an experimental RFC with OPENPGPKEY record, or we can force them to use
an individual submitted draft with a TXT record stalled until expiry.
Everybody resents that TXT records represent a grab-bag of items.
Stating your opinion that people should not use DNSSEC as a PKI is
irrelevant and these discussions happened in the late 90s. As a result
of those discusisons, there was a change made from SIG/KEY/NXT to
RSIG/DNSKEY/NSEC records to limit those records to DNSSEC itself,
and leaving the model open for new RRTYPEs building PKI type structures
using DNSSEC. Such records have now included TLSA and IPsec. OPENPGPKEY
fits fine in this model.
Paul