DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
Tue Jul 9 18:02:02 2002


David Shaw <dshaw@jabberwocky.com> writes:

> I have a few minor comments/concerns (maybe we should drag this over
> to gnupg-devel?):

I have one major concern:

The current approach is slower than HKP.

DNS is only more efficient if you stay below the 512 bytes (including
overhead) limit.  If answers get bigger, a full TCP connection is
required *in* *addtion* to the initial request/answer pair. :-/

And I pretty much doubt that servers cache RRs which are a couple of
kilobytes large, so the current approach appears to be rather
pointless.  Sorry.

It might work better if you just store minimal revocation certificates
(those used by GnuPG) in DNS.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898