Automatic key verification / CERT in DNS / RFC4398

Brad Knowles brad at
Sat Apr 8 08:50:19 CEST 2006

At 10:56 PM +0200 2006-04-07, Werner Koch wrote:

>  Recall that requesting an actual key needs to be done only once in a
>  while - depends on how often you feel the need to check for
>  revocations.

	Recall that there are a whole multitude of horribly broken 
resolvers and nameservers out there, many of which will re-query for 
the same information at least once per second, ad infinitum -- 
regardless of whether or not you have answered their query in the 
previous second.

	Recall that there are these things called "TTLs" which are placed 
on DNS records, and poorly chosen TTLs could, all by themselves, 
cause a massive increase in load on the server & clients in question.

	Recall that if you try to cache the entire Internet, you're 
likely to run out of disk space.

	Everything about this problem screams for a solution that does 
*NOT* involve the DNS.  At the very least, does not involve the DNS 
except in some peripheral manner, such as using SRV records to tell 
people where your crypto key storage server is located and how to 
access it.

Brad Knowles, <brad at>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <>.

More information about the Gnupg-devel mailing list