On Wed, 23 Sep 2015, John R Levine wrote:
Sure, but once again you're no better off than if you got the key anywhere else. I understand the argument for better key servers and maybe better ways to discover key servers (a URI record should do it), but I don't understand the argument for a whole new mechanism with new security, scaling, and semantic problems.
Some people disagree with you and think DNSSEC is a viable PKI for their intended use. These people want to use DNSSEC. We can give those people an experimental RFC with OPENPGPKEY record, or we can force them to use an individual submitted draft with a TXT record stalled until expiry. Everybody resents that TXT records represent a grab-bag of items. Stating your opinion that people should not use DNSSEC as a PKI is irrelevant and these discussions happened in the late 90s. As a result of those discusisons, there was a change made from SIG/KEY/NXT to RSIG/DNSKEY/NSEC records to limit those records to DNSSEC itself, and leaving the model open for new RRTYPEs building PKI type structures using DNSSEC. Such records have now included TLSA and IPsec. OPENPGPKEY fits fine in this model. Paul