Automatic key verification / CERT in DNS / RFC4398
julian at mehnle.net
Thu Apr 6 12:37:56 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Brad Knowles wrote:
> Jeroen Massar wrote:
> > It is more a 'separation' question I am asking, so that one has a
> > subzone for these records, which will allow one to have say 3
> > nameservers, which are registered at the tld servers thus can't
> > easily be changed, for example.org but have 20, which you stuff in
> > example.org, handling the load for _certs.example.org where the CERTS
> > are stored. It's a choice item giving the possility of doing it.
> Flat databases don't scale. We know this. This is why we no
> longer use HOSTS.TXT, but instead use the hierarchical DNS.
Not really. The real problem with HOSTS.TXT wasn't that it is flat, but
that it is decentralized. Rsync'ing it from a central register might have
been viable (though not very elegant). Thankfully we ended up with DNS
> I have yet to be convinced that cryptographically signing each
> and every message that passes through the server can be scalable in
> any common sense of the word, but at least that's a different problem
> which might be addressable through custom hardware.
Signing each and every message may be slow, but slow doesn't imply
unscalable. You can still use n times the MTAs and be n times faster.
That scales very well, actually.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v22.214.171.124 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-devel