Home page logo
/

nanog logo nanog mailing list archives

Re: PGP kerserver infrastructure
From: Jeff Haas <jeffhaas () merit edu>
Date: Thu, 29 Jun 2000 13:13:20 -0400


On Thu, Jun 29, 2000 at 11:29:39AM -0400, Steven M. Bellovin wrote:
The issue isn't so much network availability -- though a key server 
designed to meet the needs of NANOG folks is interesting, since they 
most need to talk to each other when the net isn't working well -- as 
service availability.  That has all sorts of implications at the 
application level.

Like RIPE, pgpkey (rfc2726) support is coming to the RADB Real Soon Now.
IRRd (the backend of the RADB) also has had work recently put into
the issue of verifying database synchronization.  This functionality
will be available to the IRRd community in the next release.

But a small (and incomplete) preview:

$ whois -h whois.radb.net "!j-*"
RADB:Y:14679-22498
ANS:Y:1-5855
RIPE:N:0-12149653
APNIC:N:0-240883
VERIO:Y:1295-3227
FGC:Y:650-1821
[snip]

Field explanation:

db-name:mirrorable:lowest_journal-currentserial:last_export

db-name: obvious
mirrorable: whether or not the querant is allowed to mirror this db.
lowest_journal: the starting range at which a mirror can be satisfied.
                always 0 for not-mirrorable.
currentserial: obvious
last_export: for databases that are exported to the ftp area, the last
             serial number at which the database was exported.  Useful
             for databases which are updated only periodically and don't
             need to be mirrored real-time.  (Not implemented yet.)

One of the missing components is the repository object to be
supplied by rps-dist which will allow you to check a secondary
or tertiary mirror's currentserial against the primary repository.
But at the moment, the list published at 
http://www.radb.net/docs/list.html provides a good start.

Between the current polling mechanism, the planned flooding mechanism
for rpsl-dist and the above for verifying synchronization, using the
IRR may be a reasonable storage location for PGP Keys.

(N.B.: The !j mechanism is a IRRd-only query extension at this point.
 But we are speaking to the other IRR software developers about
 providing similar support.)

              --Steve Bellovin

-- 
Jeffrey Haas - Merit RSng project - jeffhaas () merit edu



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]