KEYDIST mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: David Conrad <david.conrad@nominum.com>
Cc: "Eric A. Hall" <ehall@ehsco.com>, John Stracke <jstracke@incentivesystems.com>, ietf <ietf@ietf.org>, <isdf@isoc.org>, Key Distribution <keydist@cafax.se>, <openssl-users@openssl.org>
From: Derek Atkins <derek@ihtfp.com>
Date: 11 Jun 2002 21:51:26 -0400
In-Reply-To: <B92BEB2D.C922%david.conrad@nominum.com>
Sender: owner-keydist@cafax.se
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject: Re: Global PKI on DNS?

David Conrad <david.conrad@nominum.com> writes:

> Why do you think the roots and TLDs would get millions of TCP queries for
> their certs?  Why would anyone want to get the certs of the roots or tlds?

Just to play devil's advocate, if a resolver was going to track a
signature chain all the way back up, it's going to have to request the
KEY/SIG records for all the parent domains all the way back to the
root.  In other words, resolvers all over the world are going to make
requests to verify the KEY of, e.g. .COM.  So, yes, there may be
millions of requests to the root servers for KEY/SIG records in order
to verify the leaf KEY/SIG record chains.

Hopefully caching will help, but the traffic for "COM. IN SIG" is
going to be a fairly popular DNSSec request, IMHO.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: Global PKI on DNS?
  - From: Mats Dufberg <dufberg@telia.net>
- Re: Global PKI on DNS?
  - From: Chris Evans <teknopup@bigvalley.net>
- Re: Global PKI on DNS?
  - From: David Conrad <david.conrad@nominum.com>

References:
- Re: Global PKI on DNS?
  - From: David Conrad <david.conrad@nominum.com>

Prev by Date: Re: Global PKI on DNS?
Next by Date: Re: Global PKI on DNS?
Prev by thread: Re: Global PKI on DNS?
Next by thread: Re: Global PKI on DNS?
Index(es):
- Date
- Thread

Home | Date list | Subject list