Automatic key verification / CERT in DNS / RFC4398 (Was: [Announce] GnuPG 1.4.3 released)

Brad Knowles brad at stop.mail-abuse.org
Thu Apr 6 03:03:46 CEST 2006 

At 1:57 PM +0200 2006-04-05, Jeroen Massar wrote:

>>  	See DKIM.
>
>  Which is not there yet and will take the coming X years to be designed,
>  developed and deployed. While PGP is working already for several years
>  and has been proven to work very reliably.

	Yeah, but you're talking about inventing new protocol parts to 
fit into the overall PGP/GPG structure, and which will likewise take 
years to be designed, developed, and deployed in a 
standards-compliant manner.

	Keep in mind that relatively few people use any kind of personal 
encryption at all, and most that do make use of S/MIME instead of PGP 
or GPG, because S/MIME is what is provided by default from Microsoft 
and Netscape/Mozilla.  You're an anthill right now, and you've got to 
become a mountain before your proposal can start having any kind of 
measurable positive impact on the Internet community.  Assuming you 
get there at all, it's going to take you a while.

>>  	Think about ten million users, or fifty million.  Each user
>>  having several hundred bytes (or even several KB) of data stored for
>>  them.  Stored in the DNS.  In a single flat zone.  Bad idea.  Like,
>>  really bad idea.  Like, one of the worst DNS-related ideas I think
>>  I've ever heard of, at least in a very long time.
>
>  Checking http://dailychanges.com/ status of domains on 4/4/2006:
>  49,340,982 .com
>  7,425,723  .net
>
>  etc. so what was the issue again of storing a couple of million records
>  in DNS?

	Yeah, but those records don't change frequently, and most of 
those zones have relatively little information in them, and you're 
not trying to store a complete copy of all 49 million plus .com zones 
within the .com gTLD servers themselves.

	Try loading all 49+ million .com zones onto the same thirteen 
.com gTLD servers, and see what happens.  Now, have each of those 
.com sub-zones publish DNSSEC crypto records, all of which also has 
to be contained in the same single flat .com zone.

	I don't think there's a nameserver farm anywhere in the world 
that could handle that kind of load or those kinds of memory 
requirements.

>           If you claim it is a 'bad idea' then why does the CERT record
>  exist at all when it has the intentions of allowing PGP keys to be
>  stored? ;)
>
>  Using for instance nsd (http://www.nlnetlabs.nl/nsd/) should not pose a
>  problem in serving these amounts of contents.

	I'm familiar with NSD.  It is very fast, but also quite memory 
intensive.  There were some interesting reports at RIPE from the 
folks responsible for SUNET, which is secondary to some of the 
largest ccTLD zones in the world, and how they were unable to fit all 
the necessary data into very large quantities of memory on their 
server (something like 64GB of RAM?).

	Do you know of any machines that can have terabytes of RAM 
available to store that much data?


	Hundreds of GB of data stored on disk for serving up crypto keys 
for millions of users is not that much of a problem.  Okay, you're 
going to want some pretty beefy web servers with lots of RAM for 
caching, but you're never going to attempt to fit all that data into 
memory.

	That's not the way that most nameservers work.  Most nameservers 
(NSD especially) store all data in RAM, and when you're talking about 
relatively large crypto keys for each user in a group of tens of 
millions of users, that is highly non-scalable.

	Yes, there are database-backend nameservers, but unless you're 
going to pay some pretty big bucks for the Nominum software, they're 
relatively non-standard and relatively unknown.  And no one knows how 
even the best database-backend nameservers are going to handle data 
on these kinds of scales.

>  It is more a 'separation' question I am asking, so that one has a
>  subzone for these records, which will allow one to have say 3
>  nameservers, which are registered at the tld servers thus can't easily
>  be changed, for example.org but have 20, which you stuff in example.org,
>  handling the load for _certs.example.org where the CERTS are stored.
>  It's a choice item giving the possility of doing it.

	Flat databases don't scale.  We know this.  This is why we no 
longer use HOSTS.TXT, but instead use the hierarchical DNS.  Either 
find a way to do this kind of work in a hierarchy (so that the load 
can be spread out amongst many servers), or change the protocol used 
to store the data so that you're not trying to keep it all in RAM.

>  Which is why I noted that one could have a single pgp key for a complete
>  domain could cover all the cases where one doesn't have the enduser
>  signing the messages but a central system doing it for them. Which is in
>  effect what DKIM does but allowing the freedom to have per-user keys
>  too.

	So long as you stick to just one key for the entire domain, it 
doesn't matter if it's DKIM or PGP.  It still has some greatly 
increased CPU requirements (because every single message passing 
through the server will now have to be cryptographically signed, 
which will increase the CPU server load by many orders of magnitude 
per message), but at least it has the possibility of being scalable 
in terms of the amount of key data that has to be stored and accessed 
on a frequent basis.

>  Eg large sites like hotmail/gmail/yahoo/whatever could have a 'websign
>  key' where the outbound webengine signs the message for the user.
>  Presto, 60M users served with one key.

	I have yet to be convinced that cryptographically signing each 
and every message that passes through the server can be scalable in 
any common sense of the word, but at least that's a different problem 
which might be addressable through custom hardware.

	We did try this technique before -- it was called pgpsendmail, 
and it cryptographically signed every message passing through the 
system.  It didn't work very well, and few people ended up using it. 
I don't think that using this same concept all over again is likely 
to work any better this time than it did last time.

	But if you've got some new magic oil that could be applied to the 
process and instantly solve the problem, I'd be interested in hearing 
about it.


	Doing client-side signing and verification is definitely 
scalable, but is difficult to get jump-started.

>  I don't care if we go for PKA or CERT records as long as the silly
>  spoofing of source addresses gets halted.

	I don't think that's likely to happen any time soon.  The 
solutions which are easy to implement are non-scalable, and the 
scalable solutions are much more difficult to implement.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Gnupg-devel mailing list