>
> Here is a first rough idea.
>
> The DNS admin provides a set of public keys as new DNS records (along the
> lines of Paul Vixie's proposed Mail From MX records, so no big
> implementation hassle for DNS) along with a key index for each key (just a
> tag distinguishing it from all the other keys for the same domain).
DNS has a rarely used Options field whereby you can insert various
information. We were going to use it for DNS-based content delivery
interworking (CDI)..though that WG is all but dead. We had used it to pass
the source IP of the originating resolver so that the destination CDN could
best geo-position the content. Such a field might come into play here and
is fully interoperable with all DNS servers..it's simply igntored.
Anytime we want to get involved with DNS, we must keep in mind the current
state of security of the entire DNS system. If we end up defining some form
of a DNS-based standard, perhaps we should mandate the use of secure DNS.