To:
warlord@MIT.EDU (Derek Atkins)
Cc:
bmanning@isi.edu, jas@extundo.com, jseng@pobox.org.sg, keydist@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Tue, 9 Apr 2002 11:02:52 -0700 (PDT)
In-Reply-To:
<sjmu1qkgajv.fsf@kikki.mit.edu> from Derek Atkins at "Apr 9, 2 11:24:04 am"
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
% Bill Manning <bmanning@isi.edu> writes: % % > % The caches that will cache keys/certs will be the caches within the % > % organizations that chosed to either put keys/certs in DNS or use % > % keys/certs from DNS. % > % > % > Say what? I have never seen a caching DNS server that selectivly % > caches data. The caches that will cache key/cert data will be % > those caches which receive RRsets that include key/cert data. % % Right, but the only caches that receive RRsets that include key/cert % data are the caches that sit in front of organizations that _use_ % key/cert data. If an application/resolver never requests key/cert % data, it will never hit a cache (because a DNS Server will never % arbitrarily send a key/cert RRset in a response). % % This means that caches in front of key/cert-using users are more % likely to see key/cert RRsets than caches sitting in front of users % that DONT use key/cert records. % Are you stating that there can exist a key/cert RRset that is independent or (not bound to) a larger RRset that would also include either an A or PTR rr? I always thought that an rrset would consist of: woozle in a 300.0.0.300 cert "x509 thingie" sig "sig thingie" and that woozle in cert "x509 thingie" sig "sig thingie" would not be correct. Time to check the code... :) If a sig/cert rrset can exist w/o an associated A/PTR rr, then I will agree w/ you. If not, then I think that caching servers will try and store all kinds of stuff that they may not "normally" expect. -- --bill