Automatic key verification / CERT in DNS / RFC4398

Julian Mehnle julian at
Thu Apr 6 12:37:56 CEST 2006

Hash: SHA1

Brad Knowles wrote:
> Jeroen Massar wrote:
> > It is more a 'separation' question I am asking, so that one has a
> > subzone for these records, which will allow one to have say 3
> > nameservers, which are registered at the tld servers thus can't
> > easily be changed, for but have 20, which you stuff in
> >, handling the load for where the CERTS
> > are stored. It's a choice item giving the possility of doing it.
> 	Flat databases don't scale.  We know this.  This is why we no
> longer use HOSTS.TXT, but instead use the hierarchical DNS.

Not really.  The real problem with HOSTS.TXT wasn't that it is flat, but 
that it is decentralized.  Rsync'ing it from a central register might have 
been viable (though not very elegant).  Thankfully we ended up with DNS 

> 	I have yet to be convinced that cryptographically signing each
> and every message that passes through the server can be scalable in
> any common sense of the word, but at least that's a different problem
> which might be addressable through custom hardware.

Signing each and every message may be slow, but slow doesn't imply 
unscalable.  You can still use n times the MTAs and be n times faster.  
That scales very well, actually.
Version: GnuPG v1.4.2.2 (GNU/Linux)


More information about the Gnupg-devel mailing list