DNS keyserver (was Re: gnupg-1.0.7: keyserver subdir?)

Michael Graff explorer@flame.org
Wed Jul 10 02:15:02 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Josefsson <jas@extundo.com> writes:

> Yes, one UDP round-trip is wasted.  OTOH the server can guess that
> CERT RR's should be fetched with TCP, or it can use EDNS.0 to increase
> the 512 byte limit (EDNS.0 is required with IPv6 and DNSSEC anyway, if
> I recall correctly).

Cool.  A key server DDOS attack is in your future.  :)

That said, it's a good idea, and I considered writing one years ago,
but before EDNS0 there was no real use...

Remember that the max payload (and max rdata size) is still 64k -
headers, so you'll have to handle broken up data even over TCP.

- --Michael

> 
> Distributed caching, round-trip optimization, automatic fail over, and
> a possibility of having signed answers could still be advantages for
> DNS though.  Some of these can surely be implemented with HKP too, but
> doesn't seem to be today.
> 
> > And I pretty much doubt that servers cache RRs which are a couple of
> > kilobytes large, so the current approach appears to be rather
> > pointless.  Sorry.
> 
> I think DNS servers cache things unless you disable it by policy.  A
> department running a name server for the benefits of their users would
> probably not disable this by policy.  Then if everyone in the
> department received a signed email from the outside and retrieved the
> key, it would be an 1:n optimization.
> 
> But the amount of traffic we are talking about here is just noise, I
> don't see efficiency as the main advantage.
> 
> One advantage would be that eventually it could be possible to secure
> the link between a domain and user in that domain (consider
> company.com signing its zone containing references to their users
> keys).  Then a fake business card and a fake uploaded key on a
> keyserver isn't enough to mount a man-in-the-middle attack.
> 
> > It might work better if you just store minimal revocation certificates
> > (those used by GnuPG) in DNS.
> 
> Yes, that should be done.  If DNS is used for that, I don't see how it
> harms to have DNS as an option for retrieving certificates too.  I'm
> sure lots of people will continue to use HKP for many years anyway.
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (NetBSD)
Comment: See http://www.flame.org/~explorer/pgp for my keys

iD8DBQE9K3yzl6Nz7kJWYWYRAlqoAJoCZozY5g2c+lAVxecFHqISMH84TwCeOy05
4BhkEb1Rpy4HZl2Hnt7xm14=
=5JVf
-----END PGP SIGNATURE-----