Automatic key verification / CERT in DNS / RFC4398
Brad Knowles
brad at stop.mail-abuse.org
Sat Apr 8 08:50:19 CEST 2006
At 10:56 PM +0200 2006-04-07, Werner Koch wrote:
> Recall that requesting an actual key needs to be done only once in a
> while - depends on how often you feel the need to check for
> revocations.
Recall that there are a whole multitude of horribly broken
resolvers and nameservers out there, many of which will re-query for
the same information at least once per second, ad infinitum --
regardless of whether or not you have answered their query in the
previous second.
Recall that there are these things called "TTLs" which are placed
on DNS records, and poorly chosen TTLs could, all by themselves,
cause a massive increase in load on the server & clients in question.
Recall that if you try to cache the entire Internet, you're
likely to run out of disk space.
Everything about this problem screams for a solution that does
*NOT* involve the DNS. At the very least, does not involve the DNS
except in some peripheral manner, such as using SRV records to tell
people where your crypto key storage server is located and how to
access it.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Gnupg-devel
mailing list