Re: Keys at apex problem - New PUBKEY RR?

[Randy Bush <randy@psg.com>]

> I groc (see & understand) Randy's point.  A centralized infrastructure
> element, such as DNS, should be as simple and lightweight as possible for
> two reasons.  It should never breakdown.  It should never be a performance
> bottleneck (with breaking down an extreme case of this).  A long time ago I
> came to these conclusions when researching middleware (long time ago =
> pre-1035).  These long-held opinions of mine would lead me to agree with
> Randy - and I've already said I don't.
> 
> Why?  There isn't an option to DNS at this point.  I don't see place
> applications can easily rely on to get meta-data.  I am aware of LDAP, but
> haven't been convinced that it's the way to go for pulling keys.
> 
> More importantly, I agree with Jakob that the use of DNS to hold keys is
> not a significant change from DNS without this service.

and this is why the problem has never been fixed.  we keep adding more
rotten tomatoes to the overfilled can because there always seems to be room
for one more tomato, and there are no other containers as easily abused.

hence no one ever makes more appropriate containers for vegetables (or
fruit, tomatoes are a fruit).  if we stop this feeping creaturism, dns
cruftification will slow, and the protein abusers will be forced to actually
solve their problems, maybe even in a nice clean and well-understood manner.

randy