To:
"Eric A. Hall" <ehall@ehsco.com>, John Stracke <jstracke@incentivesystems.com>
Cc:
ietf <ietf@ietf.org>, <isdf@isoc.org>, Key Distribution <keydist@cafax.se>, <openssl-users@openssl.org>
From:
David Conrad <david.conrad@nominum.com>
Date:
Tue, 11 Jun 2002 18:00:13 -0700
In-Reply-To:
<3D06891B.7000600@ehsco.com>
Sender:
owner-keydist@cafax.se
User-Agent:
Microsoft-Entourage/10.1.0.2006
Subject:
Re: Global PKI on DNS?
On 6/11/02 4:34 PM, "Eric A. Hall" <ehall@ehsco.com> wrote: >> The big deal is that some of the more restrictive ISPs may not permit >> customers to bypass their DNS servers. Same as with HTTP interception >> proxies. > No, the big deal is that the roots and TLDs would be crippled from > millions of TCP queries for their certs. Why do you think the roots and TLDs would get millions of TCP queries for their certs? Why would anyone want to get the certs of the roots or tlds? These arguments are going beyond silly and reaching ludicrous. Yes, some ISPs do stupid things. That's when you choose a different ISP or come up with some workaround. Yes, there are broken DNS servers out there that can't handle TCP queries. Get an unbroken DNS server, there are plenty. Yes, there may be fragmentation issues, however we are going to have to deal with this if we're ever going to deploy DNSSEC. Can we stop with the FUD? Rgds, -drc