To:
Bill Manning <bmanning@isi.edu>
cc:
jseng@pobox.org.sg, <keydist@cafax.se>
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Wed, 10 Apr 2002 15:16:06 +0200 (CEST)
In-Reply-To:
<200204091400.g39E0Yo11683@boreas.isi.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: Let's assume DNS is involved
On Tue, 9 Apr 2002, Bill Manning wrote: > % The caches that will cache keys/certs will be the caches within the > % organizations that chosed to either put keys/certs in DNS or use > % keys/certs from DNS. > > Say what? I have never seen a caching DNS server that selectivly > caches data. The caches that will cache key/cert data will be > those caches which receive RRsets that include key/cert data. Right, and the only caches that will receive those RRsets would be those caches serving users who requested at least one RR out of the RRset. If you want to save a few bits for the case when people frequently would request the A+SIG records but would not want the APPKEY/CERT records, you could place the SSH key under a SRV-style owner name. More speculatively, you could use two keys for the zone and have one of them not sign APPKEY/CERT data and have the DNS server chose which answer to give depending on the query. But all this work would only save you would be a few hundred bytes. A few hundred bytes noone presented evidence would matter. So maybe we shouldn't optimize before we know we need to optimize.