Re: Global PKI on DNS?

[Jakob Schlyter <jakob@crt.se>]

On Wed, 12 Jun 2002, Keith Moore wrote:

> > OK, I'll bite.  What are those problems?
>
> where to start?  okay, first the fact that DNS RRs aren't very
> extensible, so if you want to cram something new that doesn't quite fit
> then you have an upgrade problem.

resolvers are transparent to new rr types, secondary servers are beginning
to be transparent and primary servers of course need to support the rr
types they are serving.


> second, DNS queries don't let you specify any parameters other than DNS
> name, class, and a single integer query type, which isn't exactly a good
> fit for "find me a cert that is signed by one of the N CAs that I trust,
> and which has these properties and/or does not impose these
> constraints".

most applications would be enough with a simple query such as
'mail.foo.bar in cert ?' and can select the appropriate certificates out
of what's returned themselves. if response size would be a problem, one
could use _srv style naming or some napstr-like indirect naming.


> DNS might be redundant, but I wouldn't want to emulate its reliability
> record, or its performance.  I've seen too many DNS queries take longer
> than 30 seconds, too many servers providing obsolete information
> (probably because the zone was updated without incrementing the serial
> number, but sometimes because one server or another moved and they
> didn't get the configuration adjusted correctly).

misconfigured servers will always fail, no matter if they use dns, ldap or
what have you.


> it's almost as fun as trying to get old protocols to do things that they
> were never designed (and aren't well-suited) to do!

dns is pretty good at looking up some resource record, that do not change
to often, based on a domain name.


	jakob