Automatic key verification / CERT in DNS / RFC4398
Julian Mehnle
julian at mehnle.net
Thu Apr 6 12:37:56 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brad Knowles wrote:
> Jeroen Massar wrote:
> > It is more a 'separation' question I am asking, so that one has a
> > subzone for these records, which will allow one to have say 3
> > nameservers, which are registered at the tld servers thus can't
> > easily be changed, for example.org but have 20, which you stuff in
> > example.org, handling the load for _certs.example.org where the CERTS
> > are stored. It's a choice item giving the possility of doing it.
>
> Flat databases don't scale. We know this. This is why we no
> longer use HOSTS.TXT, but instead use the hierarchical DNS.
Not really. The real problem with HOSTS.TXT wasn't that it is flat, but
that it is decentralized. Rsync'ing it from a central register might have
been viable (though not very elegant). Thankfully we ended up with DNS
anyway.
> I have yet to be convinced that cryptographically signing each
> and every message that passes through the server can be scalable in
> any common sense of the word, but at least that's a different problem
> which might be addressable through custom hardware.
Signing each and every message may be slow, but slow doesn't imply
unscalable. You can still use n times the MTAs and be n times faster.
That scales very well, actually.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFENO+FwL7PKlBZWjsRArm4AJ9ZzTC7s3zKyE2AJoUBocAajAF20QCcCJsb
B9jxuiOaIBkBx0AI3XYku7E=
=sbK+
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list