To:
"Eric A. Hall" <ehall@ehsco.com>
Cc:
Pekka Savola <pekkas@netcore.fi>, Michael Richardson <mcr@sandelman.ottawa.on.ca>, Franck Martin <franck@sopac.org>, keydist@cafax.se, openssl-users@openssl.org, ietf@ietf.org, isdf@isoc.org
From:
Simon Josefsson <simon+keydist@josefsson.org>
Date:
Tue, 11 Jun 2002 20:46:17 +0200
In-Reply-To:
<3D063B95.70608@ehsco.com> ("Eric A. Hall"'s message of "Tue,11 Jun 2002 13:04:05 -0500")
Mail-Followup-To:
keydist@cafax.se
Reply-To:
keydist@cafax.se
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.090007 (Oort Gnus v0.07) Emacs/21.2.90(i686-pc-linux-gnu)
Subject:
Re: Global PKI on DNS?
(Please respect Reply-To) "Eric A. Hall" <ehall@ehsco.com> writes: > on 6/8/2002 8:54 PM Simon Josefsson said the following: > >> Despite the FUD presented by certain individuals that doesn't want >> keys/certs in DNS, people have already tarted doing it and it works >> fine. > > Setting aside the issue of whether or not people are spreading FUD, I still wish a technical analysis of the consequences would be performed by those who are critical... Not using a protocol because using it increases message sizes and round trips compared with not using the protocol isn't a very convincing argument. > perhaps you could tell us about your setup. I am afraid that will require a shameless plug of my master thesis (you asked for it! :-)): http://josefsson.org/master-thesis/ Most answers to your questions can be found in it, but I'll continue answering your questions specifically: > How homogenous were the applications and operating systems that > requested the certs? Applications were all written in C, altough parsing of responses was done in Lisp in one application. OSes was Win2k, GNU/Linux and Solaris. > What resolver calls did you use? One application used the "dig" application and another used getcertinfo() (I'm not sure OpenBSD ended up with that resolver API though, but that was a proposed solution back then). > What other RRs were bound to the owner names? None, just one or more CERT RRs. > How many delegation entries did you provide along with the data and > what was the message size without the certs? Not many, number and sizes was similar to what you normally find on the net. > How big were the certs? .5-2kb. > Did any of the lookups overflow, and did everything support TCP > fallback? Yes. Practically all lookups overflow if DNSSEC is used so this shouldn't surprise anyone. (Try "dig www.josefsson.org a +dnssec".) TCP (and perhaps also EDNS.0) should probably be a requirement for those applications and servers that wants to use application keys in DNS. > and finally, do you think that the answers will be the same for all > nodes across the global namespace? No, there are other operating systems, programming languages, resolver APIs, other RR owner name setups, different number of delegation entries, and cert sizes than the ones I tried. As for all nodes across the global namespace supports TCP fallback, I would agree with you that they don't, but I would not see how it is relevant. Such software would not see this kind of data unless a user of the server tried to use this stuff, and in that case I don't see why that user couldn't upgrade her own software to get it to work. If users wants IPv6 they install IPv6, they (usually) don't complain that IPv6 is broken since their IPv4 router doesn't support it.