[dns-operations] Is anyone actually using SSHFP records?
Phillip Hallam-Baker
phill at hallambaker.com
Wed Feb 26 21:55:09 UTC 2025
On Wed, Feb 26, 2025 at 4:07 PM Philip Homburg <philip at nlnetlabs.nl> wrote:
>
> On 26/02/2025 21:33, Phillip Hallam-Baker wrote:
>
>
> The user experience I am aiming for with a webcam is Alice buys the
> webcam, gives it a name in the DNS space for her house '
> webcam.house.example.com' and lists @alice.example.com, @bob.example.net
> , @carol.example.com as the list of people authorized to access it. From
> that point on, they can go to https://webcam.house.example.com/ and log
> in via OAUTH using a regular browser.
>
>
> Before moving on with the details of the protocol, it is worth considering
> whether it is smart to put handles for users in DNS. DNS is good a
> publishing information and a list of authorized users is typically not
> something you want to published.
>
The authorizations don't go in the DNS. The only thing that goes into the
DNS is links to the metadata that allows the user to use it for various
purposes.
@phill.hallambaker.com is my Blue Sky account, the unique identifier for my
account is in a TXT record with the domain _atproto.phill.hallambaker.com
An authorization list is just a list of dns names: {alice.example.com,
bob.example.net, carol.example.com} that doesn't go into the DNS, the
webcam gets that out of band.
I see DNS Handles as being the next logical extension of the scope of the
DNS. At the start, DNS was used to identify only hosts. Then for email, it
was realized that what was needed was to identify an abstract service that
can be supported by a set of hosts. A DNS handle is a means of identifying
the user service as a domain.
Services can't resolve a handle to a user but they can resolve it to a
means of identifying the user, how to authenticate them when they log in,
what messaging, voice and video apps do they support and how to connect to
them.
Now to be sure, putting the contact record into the DNS is going to get
icky because you would really prefer the DNS data to be as static as
possible and that can't happen if you are putting hashes of metadata in the
DNS. So I am expecting to want to move to a situation where the data in the
DNS is a signing key for an assertion scheme.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250226/6c25a1eb/attachment.html>
More information about the dns-operations
mailing list