To:
Keith Moore <moore@cs.utk.edu>
Cc:
Key Distribution <keydist@cafax.se>
From:
David Conrad <david.conrad@nominum.com>
Date:
Wed, 12 Jun 2002 10:42:23 -0700
In-Reply-To:
<200206120436.g5C4amn00179@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
User-Agent:
Microsoft-Entourage/10.1.0.2006
Subject:
Re: Global PKI on DNS?
Keith, On 6/11/02 9:36 PM, "Keith Moore" <moore@cs.utk.edu> wrote: > okay, first the fact that DNS RRs aren't very extensible, CERT RRs are implemented in recent versions of all DNS servers I'm aware of. > so if you want to cram something new that doesn't quite fit then you have > an upgrade problem. Older versions of BIND do have difficulties with RR types they don't understand. However, older versions of BIND also have difficulties keeping user supplied data within buffers, so perhaps upgrading to current versions would be a good idea in any case. New versions of BIND and most other DNS servers I'm aware of, allow for "unknown" RRs. > second, DNS queries don't let you specify any > parameters other than DNS name, class, and a single integer query type, > which isn't exactly a good fit for "find me a cert that is signed > by one of the N CAs that I trust, and which has these properties and/or > does not impose these constraints". A valid concern in a world where people make a distinction between CAs they trust and CAs they don't. While we aren't there now (I'd be surprised if more than 0.001% of the people using certs even know what a CA is), I would agree that we may get there someday. However, how many certs can you fit in 64K (assuming you don't want to use the namespace to address this issue)? > Then again your cache > also needs to be sensitive not only to things that DNS returns like > TTLs but also expiration dates in certs. Which already has to be done for DNSSEC. > DNS might be redundant, but I wouldn't want to emulate its reliability > record, or its performance. Show me _any_ other highly distributed lookup system that handles the quantity of lookups the DNS has, is resilient in the face of (some say) 85% misconfiguration, and yet still responds to the _vast_ majority of queries in tens to hundreds of milleseconds. >> But hey, coming up with new protocols that do the same thing as old >> protocols is fun, so why not? > it's almost as fun as trying to get old protocols to do things that > they were never designed (and aren't well-suited) to do! Strange. I was just talking with Paul Mockapetris yesterday and I do believe he said the DNS was designed with the idea that it could be used as a generic key/value lookup system as long as both the key and the value are relatively static. Rgds, -drc